d-bis/explorer-monorepo
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: rename SolaceScanScout to Solace and update related configurations

Browse Source 
- Updated branding from "SolaceScanScout" to "Solace" across various files including deployment scripts, API responses, and documentation.
- Changed default base URL for Playwright tests and updated security headers to reflect the new branding.
- Enhanced README and API documentation to include new authentication endpoints and product access details.

This refactor aligns the project branding and improves clarity in the API documentation.
This commit is contained in:
defiQUG
2026-04-10 12:52:17 -07:00
parent bdae5a9f6e
commit f46bd213ba
160 changed files with 13274 additions and 1061 deletions
Download Patch File Download Diff File Expand all files Collapse all files

171
deployment/ACCESS_EDGE_ENFORCEMENT_RUNBOOK.md Normal file
View File

@@ -0,0 +1,171 @@
# Explorer Access Edge Enforcement Runbook
Operational runbook for enforcing explorer-issued API keys at the RPC edge for Chain 138 service lanes such as:
- `alltra-rpc` on VMID `2102`
- `thirdweb-rpc` on VMID `2103`
- approval-gated `core-rpc` on VMID `2101`
This complements the explorer access console and backend access APIs. The explorer can already issue, rotate, revoke, and validate keys; this runbook covers how to enforce those keys on nginx-facing RPC endpoints.
## Preconditions
- Explorer config/API backend is running on VMID `5000` and reachable at `127.0.0.1:8081`
- `ACCESS_INTERNAL_SECRET` is configured on the explorer API service
- Users and subscriptions are already managed through `/access`
- The target RPC lane is behind nginx or another proxy that can make a subrequest to the explorer API
## Canonical validator endpoint
- Internal: `http://127.0.0.1:8081/api/v1/access/internal/validate-key`
- Public-prefixed equivalent through explorer nginx: `https://explorer.d-bis.org/explorer-api/v1/access/internal/validate-key`
### Validator modes
- `GET` for nginx `auth_request`
- supply `X-API-Key` or `Authorization: Bearer ...`
- supply `X-Access-Internal-Secret`
- returns `200` on success or `401` on rejection
- includes headers such as:
- `X-Validated-Product`
- `X-Validated-Tier`
- `X-Validated-Scopes`
- `X-Quota-Remaining`
- `POST` for richer internal clients
- JSON body with `api_key`, `method_name`, `request_count`, `last_ip`
- returns JSON payload with validated key metadata
## Canonical nginx pattern
Use [`common/nginx-rpc-api-key-gate.conf`](./common/nginx-rpc-api-key-gate.conf) as the starting template.
For lane-specific rendered configs, use [`../scripts/render-rpc-access-gate-nginx.sh`](../scripts/render-rpc-access-gate-nginx.sh).
The important behavior is:
1. nginx receives user traffic
2. nginx subrequests `/__access_validate_rpc`
3. that subrequest calls the explorer validator with:
- the client API key
- the shared internal secret
- request method and source IP
4. only validated requests are proxied to the protected RPC upstream
## Render a product-specific config
Instead of editing the template manually, render a concrete config for the target lane:
```bash
bash explorer-monorepo/scripts/render-rpc-access-gate-nginx.sh \
--product thirdweb-rpc \
--server-name thirdweb-rpc.example.org \
--internal-secret "$ACCESS_INTERNAL_SECRET" \
--output /etc/nginx/conf.d/thirdweb-rpc-gated.conf
```
Example for `alltra-rpc`:
```bash
bash explorer-monorepo/scripts/render-rpc-access-gate-nginx.sh \
--product alltra-rpc \
--server-name alltra-rpc.example.org \
--internal-secret "$ACCESS_INTERNAL_SECRET" \
--output /etc/nginx/conf.d/alltra-rpc-gated.conf
```
Example for `core-rpc` with an explicit upstream override:
```bash
bash explorer-monorepo/scripts/render-rpc-access-gate-nginx.sh \
--product core-rpc \
--server-name rpc-http-prv.d-bis.org \
--internal-secret "$ACCESS_INTERNAL_SECRET" \
--upstream http://192.168.11.211:8545 \
--output /etc/nginx/conf.d/core-rpc-gated.conf
```
After rendering, verify syntax before reload:
```bash
nginx -t
systemctl reload nginx
```
## Recommended product mapping
| Product | Suggested public host | Upstream target |
|---|---|---|
| `core-rpc` | `rpc-http-prv.d-bis.org` | `http://192.168.11.211:8545` |
| `alltra-rpc` | partner/internal hostname | `http://192.168.11.212:8545` |
| `thirdweb-rpc` | managed SaaS/internal hostname | `http://192.168.11.217:8545` |
For `core-rpc`, keep manual approval enabled and consider IP allowlists in addition to API keys.
## Safe remote install workflow
For an operator-friendly rollout, use the dry-run-first installer:
```bash
bash explorer-monorepo/scripts/install-rpc-access-gate-nginx-via-ssh.sh \
--product thirdweb-rpc \
--server-name thirdweb-rpc.example.org \
--ssh-host root@192.168.11.217 \
--internal-secret "$ACCESS_INTERNAL_SECRET"
```
That prints the rendered config and planned remote target without mutating anything.
Apply only after review:
```bash
bash explorer-monorepo/scripts/install-rpc-access-gate-nginx-via-ssh.sh \
--product thirdweb-rpc \
--server-name thirdweb-rpc.example.org \
--ssh-host root@192.168.11.217 \
--internal-secret "$ACCESS_INTERNAL_SECRET" \
--apply
```
By default the installer copies the config, runs `nginx -t`, and only then reloads nginx.
## Explorer API service env
At minimum, set:
```dotenv
ACCESS_ADMIN_EMAILS=ops@example.org,platform@example.org
ACCESS_INTERNAL_SECRET=replace-with-long-random-secret
```
## Verification
Use the dedicated verifier:
```bash
bash explorer-monorepo/scripts/verify-explorer-access-edge-hook.sh \
--base-url https://explorer.d-bis.org \
--internal-secret "$ACCESS_INTERNAL_SECRET"
```
To test a real key:
```bash
bash explorer-monorepo/scripts/verify-explorer-access-edge-hook.sh \
--base-url https://explorer.d-bis.org \
--internal-secret "$ACCESS_INTERNAL_SECRET" \
--api-key "sk_live_example"
```
## Rollout order
1. Deploy explorer config/API backend so the validator endpoint is live
2. Confirm `ACCESS_INTERNAL_SECRET` is loaded in the service env
3. Apply nginx config for one protected lane first, usually `thirdweb-rpc`
4. Verify validation responses and upstream reachability
5. Expand to `alltra-rpc`
6. Apply stricter controls for `core-rpc` only after admin approval flow is tested
## Honest limits
- This repo now provides the validator hook, operator docs, and example edge config
- Actual enforcement still depends on where the RPC traffic is terminated
- Billing settlement, Stripe, or x402 monetization is a separate commercial layer

3
deployment/DEPLOYMENT_CHECKLIST.md
View File

@@ -54,7 +54,7 @@ Use this checklist to track deployment progress.
- [ ] Systemd service files created:
- [ ] `explorer-indexer.service`
- [ ] `explorer-api.service`
- [ ] `explorer-frontend.service`
- [ ] `solacescanscout-frontend.service`
- [ ] Services enabled
- [ ] Services started
- [ ] Service status verified
@@ -201,4 +201,3 @@ _Use this space for deployment-specific notes and issues encountered._
**Deployed By**: _______________
**Container ID**: _______________
**Domain**: explorer.d-bis.org

29
deployment/DEPLOYMENT_GUIDE.md
View File

@@ -477,24 +477,26 @@ EOF
#### Frontend Service
```bash
cat > /etc/systemd/system/explorer-frontend.service << 'EOF'
cat > /etc/systemd/system/solacescanscout-frontend.service << 'EOF'
[Unit]
Description=Explorer Frontend Service
Description=SolaceScan Next Frontend Service
After=network.target explorer-api.service
Requires=explorer-api.service
[Service]
Type=simple
User=explorer
Group=explorer
WorkingDirectory=/home/explorer/explorer-monorepo/frontend
EnvironmentFile=/home/explorer/explorer-monorepo/.env
ExecStart=/usr/bin/npm start
User=www-data
Group=www-data
WorkingDirectory=/opt/solacescanscout/frontend/current
Environment=NODE_ENV=production
Environment=HOSTNAME=127.0.0.1
Environment=PORT=3000
ExecStart=/usr/bin/node /opt/solacescanscout/frontend/current/server.js
Restart=always
RestartSec=10
RestartSec=5
StandardOutput=journal
StandardError=journal
SyslogIdentifier=explorer-frontend
SyslogIdentifier=solacescanscout-frontend
[Install]
WantedBy=multi-user.target
@@ -510,17 +512,17 @@ systemctl daemon-reload
# Enable services
systemctl enable explorer-indexer
systemctl enable explorer-api
systemctl enable explorer-frontend
systemctl enable solacescanscout-frontend
# Start services
systemctl start explorer-indexer
systemctl start explorer-api
systemctl start explorer-frontend
systemctl start solacescanscout-frontend
# Check status
systemctl status explorer-indexer
systemctl status explorer-api
systemctl status explorer-frontend
systemctl status solacescanscout-frontend
```
---
@@ -892,7 +894,7 @@ cat > /etc/logrotate.d/explorer << 'EOF'
create 0640 explorer explorer
sharedscripts
postrotate
systemctl reload explorer-indexer explorer-api explorer-frontend > /dev/null 2>&1 || true
systemctl reload explorer-indexer explorer-api solacescanscout-frontend > /dev/null 2>&1 || true
endscript
}
EOF
@@ -1079,4 +1081,3 @@ journalctl -u cloudflared -f
**Last Updated**: 2024-12-23
**Version**: 1.0.0

13
deployment/DEPLOYMENT_SUMMARY.md
View File

@@ -9,6 +9,10 @@ This directory contains two different kinds of deployment material:
Start with [`LIVE_DEPLOYMENT_MAP.md`](./LIVE_DEPLOYMENT_MAP.md).
Primary public explorer surface: `https://blockscout.defi-oracle.io`
Companion explorer-facing properties may still exist under `https://explorer.d-bis.org` for Snap and related tooling, but the public explorer verification flow should treat `blockscout.defi-oracle.io` as canonical unless a task explicitly targets a companion surface.
The live explorer is currently assembled from separate deployment paths:
| Component | Live service | Canonical deploy path |
@@ -22,9 +26,10 @@ The live explorer is currently assembled from separate deployment paths:
- [`check-explorer-health.sh`](../scripts/check-explorer-health.sh)
- [`check-explorer-e2e.sh`](../../scripts/verify/check-explorer-e2e.sh)
- `https://explorer.d-bis.org/api/config/capabilities`
- `https://explorer.d-bis.org/explorer-api/v1/track1/bridge/status`
- `https://explorer.d-bis.org/explorer-api/v1/mission-control/stream`
- [`scripts/verify-explorer-access-edge-hook.sh`](../scripts/verify-explorer-access-edge-hook.sh)
- `https://blockscout.defi-oracle.io/api/config/capabilities`
- `https://blockscout.defi-oracle.io/explorer-api/v1/track1/bridge/status`
- `https://blockscout.defi-oracle.io/explorer-api/v1/mission-control/stream`
## Legacy Material In This Directory
@@ -35,6 +40,6 @@ These files remain in the repo, but they describe an older generalized package:
- `DEPLOYMENT_CHECKLIST.md`
- `QUICK_DEPLOY.md`
- `systemd/explorer-api.service`
- `systemd/explorer-frontend.service`
- `systemd/solacescanscout-frontend.service`
Treat those as scaffold or historical reference unless they have been explicitly updated to match the live split architecture.

14
deployment/DEPLOYMENT_TASKS.md
View File

@@ -172,25 +172,26 @@ This document provides a detailed checklist of all tasks required to deploy the
#### Task 21: Create Systemd Service Files
- [ ] Create `/etc/systemd/system/explorer-indexer.service`
- [ ] Create `/etc/systemd/system/explorer-api.service`
- [ ] Create `/etc/systemd/system/explorer-frontend.service`
- [ ] Set proper ownership: `chown root:root /etc/systemd/system/explorer-*.service`
- [ ] Set proper permissions: `chmod 644 /etc/systemd/system/explorer-*.service`
- [ ] Create `/etc/systemd/system/solacescanscout-frontend.service`
- [ ] Set proper ownership: `chown root:root /etc/systemd/system/explorer-*.service /etc/systemd/system/solacescanscout-frontend.service`
- [ ] Set proper permissions: `chmod 644 /etc/systemd/system/explorer-*.service /etc/systemd/system/solacescanscout-frontend.service`
#### Task 22: Enable and Start Services
- [ ] Reload systemd: `systemctl daemon-reload`
- [ ] Enable indexer: `systemctl enable explorer-indexer`
- [ ] Enable API: `systemctl enable explorer-api`
- [ ] Enable frontend: `systemctl enable explorer-frontend`
- [ ] Enable frontend: `systemctl enable solacescanscout-frontend`
- [ ] Start indexer: `systemctl start explorer-indexer`
- [ ] Start API: `systemctl start explorer-api`
- [ ] Start frontend: `systemctl start explorer-frontend`
- [ ] Start frontend: `systemctl start solacescanscout-frontend`
#### Task 23: Verify Services
- [ ] Check indexer status: `systemctl status explorer-indexer`
- [ ] Check API status: `systemctl status explorer-api`
- [ ] Check frontend status: `systemctl status explorer-frontend`
- [ ] Check frontend status: `systemctl status solacescanscout-frontend`
- [ ] Check indexer logs: `journalctl -u explorer-indexer -f`
- [ ] Check API logs: `journalctl -u explorer-api -f`
- [ ] Check frontend logs: `journalctl -u solacescanscout-frontend -f`
- [ ] Verify API responds: `curl http://localhost:8080/health`
- [ ] Verify frontend responds: `curl http://localhost:3000`
@@ -558,4 +559,3 @@ This document provides a detailed checklist of all tasks required to deploy the
**Last Updated**: 2024-12-23
**Version**: 1.0.0

3
deployment/ENVIRONMENT_TEMPLATE.env
View File

@@ -110,6 +110,8 @@ SOUL_MACHINES_API_SECRET=
CORS_ALLOWED_ORIGIN=
JWT_SECRET=CHANGE_THIS_JWT_SECRET
ENCRYPTION_KEY=CHANGE_THIS_ENCRYPTION_KEY_32_BYTES
ACCESS_ADMIN_EMAILS=
ACCESS_INTERNAL_SECRET=CHANGE_THIS_INTERNAL_ACCESS_SECRET
# ============================================
# Monitoring (Optional)
@@ -126,4 +128,3 @@ ENABLE_WEBSOCKET=true
ENABLE_ANALYTICS=true
ENABLE_VTM=false
ENABLE_XR=false

14
deployment/INDEX.md
View File

@@ -10,6 +10,7 @@ Complete index of all deployment files and their purposes.
| `DEPLOYMENT_TASKS.md` | Detailed 71-task checklist | 561 |
| `DEPLOYMENT_CHECKLIST.md` | Interactive deployment checklist | 204 |
| `DEPLOYMENT_SUMMARY.md` | Deployment package summary | - |
| `ACCESS_EDGE_ENFORCEMENT_RUNBOOK.md` | RPC/API-key edge enforcement for protected lanes | - |
| `QUICK_DEPLOY.md` | Quick command reference | - |
| `README.md` | Documentation overview | - |
| `INDEX.md` | This file | - |
@@ -28,12 +29,16 @@ Complete index of all deployment files and their purposes.
| `scripts/setup-backup.sh` | Setup backup system | ✅ |
| `scripts/setup-health-check.sh` | Setup health monitoring | ✅ |
| `scripts/verify-deployment.sh` | Verify deployment | ✅ |
| `../scripts/render-rpc-access-gate-nginx.sh` | Render lane-specific nginx gate configs for `2101` / `2102` / `2103` | ✅ |
| `../scripts/install-rpc-access-gate-nginx-via-ssh.sh` | Dry-run-first remote installer for rendered RPC gate configs | ✅ |
| `scripts/full-deploy.sh` | Full automated deployment | ✅ |
## ⚙️ Configuration Files
### Nginx
- `nginx/explorer.conf` - Complete Nginx reverse proxy configuration
- `common/nginx-rpc-api-key-gate.conf` - Example auth-gated RPC upstream template
- `../scripts/render-rpc-access-gate-nginx.sh` - Concrete renderer for auth-gated RPC upstream configs
### Cloudflare
- `cloudflare/tunnel-config.yml` - Cloudflare Tunnel configuration template
@@ -41,7 +46,7 @@ Complete index of all deployment files and their purposes.
### Systemd Services
- `systemd/explorer-indexer.service` - Indexer service file
- `systemd/explorer-api.service` - API service file
- `systemd/explorer-frontend.service` - Frontend service file
- `systemd/solacescanscout-frontend.service` - Next frontend service file
- `systemd/cloudflared.service` - Cloudflare Tunnel service file
### Fail2ban
@@ -125,8 +130,8 @@ deployment/
# Install services
sudo ./deployment/scripts/install-services.sh
sudo systemctl enable explorer-indexer explorer-api explorer-frontend
sudo systemctl start explorer-indexer explorer-api explorer-frontend
sudo systemctl enable explorer-indexer explorer-api solacescanscout-frontend
sudo systemctl start explorer-indexer explorer-api solacescanscout-frontend
# Setup Nginx
sudo ./deployment/scripts/setup-nginx.sh
@@ -142,7 +147,7 @@ sudo ./deployment/scripts/setup-cloudflare-tunnel.sh
```bash
# Check status
systemctl status explorer-indexer explorer-api explorer-frontend
systemctl status explorer-indexer explorer-api solacescanscout-frontend
# View logs
journalctl -u explorer-api -f
@@ -193,4 +198,3 @@ sudo ./deployment/scripts/full-deploy.sh
---
**All deployment files are ready and documented!**

28
deployment/LIVE_DEPLOYMENT_MAP.md
View File

@@ -1,12 +1,13 @@
# Live Deployment Map
Current production deployment map for `explorer.d-bis.org`.
Current production deployment map for the SolaceScan public explorer surface.
This file is the authoritative reference for the live explorer stack as of `2026-04-05`. It supersedes the older monolithic deployment notes in this directory when the question is "what is running in production right now?"
## Public Entry Point
- Public domain: `https://explorer.d-bis.org`
- Canonical public domain: `https://blockscout.defi-oracle.io`
- Companion surface: `https://explorer.d-bis.org`
- Primary container: VMID `5000` (`192.168.11.140`, `blockscout-1`)
- Public edge: nginx on VMID `5000`
@@ -28,6 +29,7 @@ This file is the authoritative reference for the live explorer stack as of `2026
| Next frontend | [`deploy-next-frontend-to-vmid5000.sh`](../scripts/deploy-next-frontend-to-vmid5000.sh) | Builds the Next standalone bundle and installs `solacescanscout-frontend.service` on port `3000` |
| Explorer config assets | [`deploy-explorer-config-to-vmid5000.sh`](../scripts/deploy-explorer-config-to-vmid5000.sh) | Publishes token list, networks, capabilities, topology, verification example, and token icons |
| Explorer config/API backend | [`deploy-explorer-ai-to-vmid5000.sh`](../scripts/deploy-explorer-ai-to-vmid5000.sh) | Builds and installs `explorer-config-api.service` on port `8081` and normalizes nginx `/explorer-api/v1/*` routing |
| RPC/API-key edge enforcement | [`ACCESS_EDGE_ENFORCEMENT_RUNBOOK.md`](./ACCESS_EDGE_ENFORCEMENT_RUNBOOK.md), [`render-rpc-access-gate-nginx.sh`](../scripts/render-rpc-access-gate-nginx.sh) | Canonical nginx `auth_request` pattern plus renderer for `2101` / `2102` / `2103` lanes using the explorer validator |
## Relay Topology
@@ -48,16 +50,16 @@ The explorer backend reads these through `CCIP_RELAY_HEALTH_URL` or `CCIP_RELAY_
The following endpoints currently describe the live deployment contract:
- `https://explorer.d-bis.org/`
- `https://explorer.d-bis.org/bridge`
- `https://explorer.d-bis.org/routes`
- `https://explorer.d-bis.org/liquidity`
- `https://explorer.d-bis.org/api/config/capabilities`
- `https://explorer.d-bis.org/config/CHAIN138_RPC_CAPABILITIES.json`
- `https://explorer.d-bis.org/explorer-api/v1/features`
- `https://explorer.d-bis.org/explorer-api/v1/track1/bridge/status`
- `https://explorer.d-bis.org/explorer-api/v1/mission-control/stream`
- `https://explorer.d-bis.org/token-aggregation/api/v1/routes/matrix`
- `https://blockscout.defi-oracle.io/`
- `https://blockscout.defi-oracle.io/bridge`
- `https://blockscout.defi-oracle.io/routes`
- `https://blockscout.defi-oracle.io/liquidity`
- `https://blockscout.defi-oracle.io/api/config/capabilities`
- `https://blockscout.defi-oracle.io/config/CHAIN138_RPC_CAPABILITIES.json`
- `https://blockscout.defi-oracle.io/explorer-api/v1/features`
- `https://blockscout.defi-oracle.io/explorer-api/v1/track1/bridge/status`
- `https://blockscout.defi-oracle.io/explorer-api/v1/mission-control/stream`
- `https://blockscout.defi-oracle.io/token-aggregation/api/v1/routes/matrix`
## Recommended Rollout Order
@@ -78,7 +80,7 @@ When a change spans relays as well:
## Current Gaps And Legacy Footguns
- Older docs in this directory still describe a monolithic `explorer-api.service` plus `explorer-frontend.service` package. That is no longer the production deployment shape.
- Older docs in this directory still describe a retired monolithic API-plus-frontend package. That is no longer the production deployment shape.
- [`ALL_VMIDS_ENDPOINTS.md`](../../docs/04-configuration/ALL_VMIDS_ENDPOINTS.md) is still correct at the public ingress level, but it intentionally compresses the explorer into `:80/:443` and Blockscout `:4000`. Use this file for the detailed internal listener split.
- There is no single one-shot script in this repo that fully deploys Blockscout, nginx, token aggregation, explorer-config-api, Next frontend, and host-side relays together. Production is currently assembled from the component deploy scripts above.
- `mainnet-weth` is deployed but intentionally paused until that bridge lane is funded again.

12
deployment/QUICK_DEPLOY.md
View File

@@ -26,10 +26,11 @@ pct enter 100
### Services
```bash
# Start all services
systemctl start explorer-indexer explorer-api explorer-frontend
systemctl start explorer-indexer explorer-api solacescanscout-frontend
# Check status
systemctl status explorer-indexer
journalctl -u solacescanscout-frontend -f
journalctl -u explorer-indexer -f
# Restart
@@ -83,13 +84,13 @@ curl http://localhost:3000
curl http://localhost/api/health
# Through Cloudflare
curl https://explorer.d-bis.org/api/health
curl https://blockscout.defi-oracle.io/api/health
```
## File Locations
- **Config**: `/home/explorer/explorer-monorepo/.env`
- **Services**: `/etc/systemd/system/explorer-*.service`
- **Services**: `/etc/systemd/system/explorer-*.service` and `/etc/systemd/system/solacescanscout-frontend.service`
- **Nginx**: `/etc/nginx/sites-available/explorer`
- **Tunnel**: `/etc/cloudflared/config.yml`
- **Logs**: `/var/log/explorer/` and `journalctl -u explorer-*`
@@ -127,12 +128,11 @@ journalctl -u cloudflared -f
```bash
# Stop all services
systemctl stop explorer-indexer explorer-api explorer-frontend
systemctl stop explorer-indexer explorer-api solacescanscout-frontend
# Restore from backup
gunzip < backup.sql.gz | psql -U explorer explorer
# Restart services
systemctl start explorer-indexer explorer-api explorer-frontend
systemctl start explorer-indexer explorer-api solacescanscout-frontend
```

1
deployment/README.md
View File

@@ -20,6 +20,7 @@ That file reflects the live split deployment now in production:
- Frontend deploy: [`scripts/deploy-next-frontend-to-vmid5000.sh`](../scripts/deploy-next-frontend-to-vmid5000.sh)
- Config deploy: [`scripts/deploy-explorer-config-to-vmid5000.sh`](../scripts/deploy-explorer-config-to-vmid5000.sh)
- Explorer config/API deploy: [`scripts/deploy-explorer-ai-to-vmid5000.sh`](../scripts/deploy-explorer-ai-to-vmid5000.sh)
- RPC/API-key edge enforcement: [`ACCESS_EDGE_ENFORCEMENT_RUNBOOK.md`](./ACCESS_EDGE_ENFORCEMENT_RUNBOOK.md)
- Public health audit: [`scripts/check-explorer-health.sh`](../scripts/check-explorer-health.sh)
- Full public smoke: [`check-explorer-e2e.sh`](../../scripts/verify/check-explorer-e2e.sh)

3
deployment/add-csp-http-location.sh
View File

@@ -8,7 +8,8 @@ else
# Insert CSP line after add_header Cache-Control in first location = /
sed -i '/location = \/ {/,/try_files \/index.html =404;/{
/add_header Cache-Control "no-store, no-cache, must-revalidate"/a\
add_header Content-Security-Policy "default-src '\''self'\''; script-src '\''self'\'' '\''unsafe-inline'\'' '\''unsafe-eval'\'' https://cdn.jsdelivr.net https://unpkg.com https://cdnjs.cloudflare.com; style-src '\''self'\'' '\''unsafe-inline'\'' https://cdnjs.cloudflare.com; img-src '\''self'\'' data: https:; font-src '\''self'\'' https://cdnjs.cloudflare.com; connect-src '\''self'\'' https://explorer.d-bis.org wss://explorer.d-bis.org https://rpc-http-pub.d-bis.org wss://rpc-ws-pub.d-bis.org http://192.168.11.221:8545 ws://192.168.11.221:8546;" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;\
add_header Content-Security-Policy "default-src '\''self'\''; script-src '\''self'\'' '\''unsafe-inline'\'' '\''unsafe-eval'\'' https://cdn.jsdelivr.net https://unpkg.com https://cdnjs.cloudflare.com; style-src '\''self'\'' '\''unsafe-inline'\'' https://cdnjs.cloudflare.com; img-src '\''self'\'' data: https:; font-src '\''self'\'' https://cdnjs.cloudflare.com; connect-src '\''self'\'' https://blockscout.defi-oracle.io wss://blockscout.defi-oracle.io https://explorer.d-bis.org wss://explorer.d-bis.org https://rpc-http-pub.d-bis.org wss://rpc-ws-pub.d-bis.org http://192.168.11.221:8545 ws://192.168.11.221:8546;" always;
}' "$CONFIG"
echo "Added CSP to HTTP location = /"
fi

2
deployment/common/README.md
View File

@@ -6,7 +6,9 @@ Use as reference or copy into your project.
## Contents
- **nginx-api-location.conf** Generic `location /api/` proxy snippet (upstream host/port to be adjusted).
- **nginx-rpc-api-key-gate.conf** Example `auth_request` pattern for API-key-protected RPC lanes using the explorer access validator.
- **systemd-api-service.example** Example systemd unit for a REST API (env and paths to be adjusted).
- **../scripts/render-rpc-access-gate-nginx.sh** Render a concrete nginx gate config for `core-rpc`, `alltra-rpc`, or `thirdweb-rpc`.
- **cloudflare / fail2ban** See parent `../cloudflare/` and `../fail2ban/` for full configs.
When this is a separate repo, add as submodule at `deployment/common`.

5
deployment/common/nginx-next-frontend-proxy.conf
View File

@@ -1,4 +1,4 @@
# Next.js frontend proxy locations for SolaceScanScout.
# Next.js frontend proxy locations for SolaceScan.
# Keep the existing higher-priority locations for:
# - /api/
# - /api/config/token-list
@@ -32,5 +32,6 @@ location / {
proxy_buffering off;
proxy_hide_header Cache-Control;
add_header Cache-Control "no-store, no-cache, must-revalidate" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://unpkg.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: https:; font-src 'self' https://cdnjs.cloudflare.com; connect-src 'self' https://explorer.d-bis.org wss://explorer.d-bis.org https://rpc-http-pub.d-bis.org wss://rpc-ws-pub.d-bis.org http://192.168.11.221:8545 ws://192.168.11.221:8546;" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://unpkg.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: https:; font-src 'self' https://cdnjs.cloudflare.com; connect-src 'self' https://blockscout.defi-oracle.io wss://blockscout.defi-oracle.io https://explorer.d-bis.org wss://explorer.d-bis.org https://rpc-http-pub.d-bis.org wss://rpc-ws-pub.d-bis.org http://192.168.11.221:8545 ws://192.168.11.221:8546;" always;
}

56
deployment/common/nginx-rpc-api-key-gate.conf Normal file
View File

@@ -0,0 +1,56 @@
# Example nginx gate for API-key-protected RPC upstreams using the explorer access API.
# This pattern assumes the explorer config/API backend listens on 127.0.0.1:8081 and
# exposes GET /api/v1/access/internal/validate-key for nginx auth_request.
#
# Replace:
# - ACCESS_INTERNAL_SECRET_VALUE with a real shared secret
# - protected-rpc.example.org with the public host you are protecting
# - upstream IP:port with the actual RPC lane (e.g. 192.168.11.212:8545 or 192.168.11.217:8545)
#
# Clients should send the API key as:
# - X-API-Key: sk_live_...
# or
# - Authorization: Bearer sk_live_...
server {
listen 443 ssl http2;
server_name protected-rpc.example.org;
# Internal subrequest used by auth_request.
location = /__access_validate_rpc {
internal;
proxy_pass http://127.0.0.1:8081/api/v1/access/internal/validate-key;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Access-Internal-Secret "ACCESS_INTERNAL_SECRET_VALUE";
proxy_set_header X-API-Key $http_x_api_key;
proxy_set_header Authorization $http_authorization;
proxy_set_header X-Access-Method $request_method;
proxy_set_header X-Access-Request-Count "1";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
auth_request /__access_validate_rpc;
# Optional metadata exported from the validator for logging or rate decisions.
auth_request_set $validated_product $upstream_http_x_validated_product;
auth_request_set $validated_tier $upstream_http_x_validated_tier;
auth_request_set $validated_scopes $upstream_http_x_validated_scopes;
auth_request_set $quota_remaining $upstream_http_x_quota_remaining;
proxy_pass http://192.168.11.217:8545;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Helpful for downstream logs and operational tracing.
proxy_set_header X-Validated-Product $validated_product;
proxy_set_header X-Validated-Tier $validated_tier;
proxy_set_header X-Validated-Scopes $validated_scopes;
proxy_set_header X-Quota-Remaining $quota_remaining;
}
}

2
deployment/common/systemd-api-service.example
View File

@@ -17,6 +17,8 @@ Environment=RPC_URL=https://rpc-http-pub.d-bis.org
Environment=TOKEN_AGGREGATION_BASE_URL=http://127.0.0.1:3000
Environment=BLOCKSCOUT_INTERNAL_URL=http://127.0.0.1:4000
Environment=EXPLORER_PUBLIC_BASE=https://explorer.d-bis.org
Environment=ACCESS_ADMIN_EMAILS=ops@example.org
Environment=ACCESS_INTERNAL_SECRET=CHANGE_THIS_INTERNAL_ACCESS_SECRET
Environment=OPERATOR_SCRIPTS_ROOT=/opt/explorer/scripts
Environment=OPERATOR_SCRIPT_ALLOWLIST=check-health.sh,check-bridges.sh
Environment=OPERATOR_SCRIPT_TIMEOUT_SEC=120

3
deployment/scripts/full-deploy.sh
View File

@@ -74,8 +74,7 @@ echo "Next steps:"
echo "1. Configure .env file: /home/explorer/explorer-monorepo/.env"
echo "2. Run database migrations"
echo "3. Build applications"
echo "4. Start services: systemctl start explorer-indexer explorer-api explorer-frontend"
echo "4. Start services: systemctl start explorer-indexer explorer-api solacescanscout-frontend"
echo "5. Configure Cloudflare DNS and SSL"
echo ""
echo "See DEPLOYMENT_GUIDE.md for detailed instructions"

8
deployment/scripts/install-services.sh
View File

@@ -11,17 +11,17 @@ echo "Installing systemd service files..."
# Copy service files
cp "$DEPLOYMENT_DIR/systemd/explorer-indexer.service" /etc/systemd/system/
cp "$DEPLOYMENT_DIR/systemd/explorer-api.service" /etc/systemd/system/
cp "$DEPLOYMENT_DIR/systemd/explorer-frontend.service" /etc/systemd/system/
cp "$DEPLOYMENT_DIR/systemd/solacescanscout-frontend.service" /etc/systemd/system/
cp "$DEPLOYMENT_DIR/systemd/cloudflared.service" /etc/systemd/system/
# Set permissions
chmod 644 /etc/systemd/system/explorer-*.service
chmod 644 /etc/systemd/system/solacescanscout-frontend.service
chmod 644 /etc/systemd/system/cloudflared.service
# Reload systemd
systemctl daemon-reload
echo "Service files installed. Enable with:"
echo " systemctl enable explorer-indexer explorer-api explorer-frontend"
echo " systemctl start explorer-indexer explorer-api explorer-frontend"
echo " systemctl enable explorer-indexer explorer-api solacescanscout-frontend"
echo " systemctl start explorer-indexer explorer-api solacescanscout-frontend"

3
deployment/scripts/verify-deployment.sh
View File

@@ -15,7 +15,7 @@ ERRORS=0
# Check services
echo "Checking services..."
for service in explorer-indexer explorer-api explorer-frontend nginx postgresql; do
for service in explorer-indexer explorer-api solacescanscout-frontend nginx postgresql; do
if systemctl is-active --quiet $service; then
echo -e "${GREEN}${NC} $service is running"
else
@@ -100,4 +100,3 @@ else
echo -e "${RED}$ERRORS critical check(s) failed${NC}"
exit 1
fi

33
deployment/systemd/explorer-frontend.service
View File

@@ -1,33 +0,0 @@
[Unit]
Description=ChainID 138 Explorer Frontend Service
Documentation=https://github.com/explorer/frontend
After=network.target explorer-api.service
Requires=explorer-api.service
[Service]
Type=simple
User=explorer
Group=explorer
WorkingDirectory=/home/explorer/explorer-monorepo/frontend
EnvironmentFile=/home/explorer/explorer-monorepo/.env
ExecStart=/usr/bin/npm start
Restart=always
RestartSec=10
StandardOutput=journal
StandardError=journal
SyslogIdentifier=explorer-frontend
# Security settings
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=/home/explorer/explorer-monorepo/frontend
# Resource limits
LimitNOFILE=65536
LimitNPROC=4096
[Install]
WantedBy=multi-user.target

2
deployment/systemd/solacescanscout-frontend.service
View File

@@ -1,5 +1,5 @@
[Unit]
Description=SolaceScanScout Next Frontend Service
Description=SolaceScan Next Frontend Service
After=network.target
Wants=network.target