#!/usr/bin/env bash set -euo pipefail ROLE="${1:-}" if [[ "$ROLE" != "deployer" && "$ROLE" != "ops" ]]; then echo "Usage: $0 " >&2 exit 1 fi SERVICE_USER="${OP_STACK_SERVICE_USER:-opstack}" SERVICE_GROUP="${OP_STACK_SERVICE_GROUP:-opstack}" INSTALL_ROOT="${OP_STACK_INSTALL_ROOT:-/opt/op-stack}" STATE_ROOT="${OP_STACK_STATE_ROOT:-/var/lib/op-stack}" CONFIG_ROOT="${OP_STACK_CONFIG_ROOT:-/etc/op-stack}" if ! getent group "$SERVICE_GROUP" >/dev/null 2>&1; then groupadd --system "$SERVICE_GROUP" fi if ! id -u "$SERVICE_USER" >/dev/null 2>&1; then useradd \ --system \ --home-dir "$STATE_ROOT" \ --create-home \ --shell /usr/sbin/nologin \ --gid "$SERVICE_GROUP" \ "$SERVICE_USER" fi install -d -m 755 "$INSTALL_ROOT" "$INSTALL_ROOT/bin" "$INSTALL_ROOT/src" "$INSTALL_ROOT/workdir" install -d -m 750 "$STATE_ROOT" install -d -m 750 \ "$STATE_ROOT/artifacts" \ "$STATE_ROOT/jwt" \ "$STATE_ROOT/logs" \ "$STATE_ROOT/op-node" \ "$STATE_ROOT/op-reth" \ "$STATE_ROOT/batcher" \ "$STATE_ROOT/proposer" \ "$STATE_ROOT/challenger" if [[ "$ROLE" == "deployer" ]]; then install -d -m 750 "$STATE_ROOT/deployer" "$STATE_ROOT/deployer/.deployer" else install -d -m 750 "$STATE_ROOT/runtime" fi chown -R "$SERVICE_USER:$SERVICE_GROUP" "$INSTALL_ROOT" "$STATE_ROOT" install -d -m 755 "$CONFIG_ROOT" "$CONFIG_ROOT/systemd-examples" write_stub_if_missing() { local path="$1" local content="$2" if [[ ! -s "$path" ]]; then printf '%s\n' "$content" > "$path" chmod 640 "$path" fi } write_stub_if_missing "$CONFIG_ROOT/op-stack-l2.env" "# Fill and keep secret values out of git # OP_STACK_L2_CHAIN_ID= # L1_RPC_URL= # L1_BEACON_URL= # L2_CHAIN_NAME= " write_stub_if_missing "$CONFIG_ROOT/op-deployer.env" "# Deployer-side secrets and RPCs # L1_RPC_URL= # PRIVATE_KEY= # DEPLOYER_WORKDIR=/var/lib/op-stack/deployer/.deployer " write_stub_if_missing "$CONFIG_ROOT/op-node.env" "# Consensus client # L1_RPC_URL= # L1_BEACON_URL= # L2_ENGINE_RPC_URL=http://127.0.0.1:8551 # JWT_SECRET=/etc/op-stack/jwt.hex # ROLLUP_CONFIG=/var/lib/op-stack/artifacts/rollup.json " write_stub_if_missing "$CONFIG_ROOT/op-reth.env" "# Preferred execution client # DATA_DIR=/var/lib/op-stack/op-reth # JWT_SECRET=/etc/op-stack/jwt.hex # CHAIN_CONFIG=/var/lib/op-stack/artifacts/genesis.json " write_stub_if_missing "$CONFIG_ROOT/sequencer.env" "# Legacy op-geth fallback only # DATA_DIR=/var/lib/op-stack/op-geth # JWT_SECRET=/etc/op-stack/jwt.hex " write_stub_if_missing "$CONFIG_ROOT/batcher.env" "# Batcher # L1_RPC_URL= # L2_RPC_URL= # PRIVATE_KEY= " write_stub_if_missing "$CONFIG_ROOT/proposer.env" "# Proposer # L1_RPC_URL= # L2_RPC_URL= # PRIVATE_KEY= " write_stub_if_missing "$CONFIG_ROOT/challenger.env" "# Challenger # L1_RPC_URL= # L2_RPC_URL= # PRIVATE_KEY= " chown root:"$SERVICE_GROUP" "$CONFIG_ROOT"/*.env if [[ ! -s "$CONFIG_ROOT/jwt.hex" ]]; then openssl rand -hex 32 > "$CONFIG_ROOT/jwt.hex" fi chmod 640 "$CONFIG_ROOT/jwt.hex" chown root:"$SERVICE_GROUP" "$CONFIG_ROOT/jwt.hex" cat <