proxmox/scripts/besu/generate-node-keys-for-missing-vmids.sh

#!/usr/bin/env bash
# Generate Besu node key (/data/besu/key) only for selected VMIDs that are missing from
# static-nodes.json (no enode in the list yet). Key file = 64 hex chars (32 bytes).
# After running, use: bash scripts/besu/collect-enodes-from-all-besu-nodes.sh --missing-only
#
# Usage:
#   bash scripts/besu/generate-node-keys-for-missing-vmids.sh
#   bash scripts/besu/generate-node-keys-for-missing-vmids.sh --vmid 1505
#   bash scripts/besu/generate-node-keys-for-missing-vmids.sh --apply --vmid 1505 --collect
#   --collect  Run collect-enodes-from-all-besu-nodes.sh --missing-only after generating keys.
#   --force    Overwrite existing key file with new 64-hex key (fixes PEM/wrong-format keys).

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
source "${PROJECT_ROOT}/scripts/lib/load-project-env.sh"

DRY_RUN=true
RUN_COLLECT=false
FORCE=false
TARGET_VMIDS=()

usage() {
  cat <<'EOF'
Usage: bash scripts/besu/generate-node-keys-for-missing-vmids.sh [--apply] [--dry-run] [--collect] [--force] [--vmid <N>]

Options:
  --dry-run     Print intended actions only (default)
  --apply       Generate node keys on selected VMIDs
  --collect     Run collect-enodes-from-all-besu-nodes.sh --missing-only after generating keys
  --force       Overwrite existing key files
  --vmid <N>    Limit to one VMID; repeatable
EOF
}

while [[ $# -gt 0 ]]; do
  case "$1" in
    --dry-run)
      DRY_RUN=true
      shift
      ;;
    --apply)
      DRY_RUN=false
      shift
      ;;
    --collect)
      RUN_COLLECT=true
      shift
      ;;
    --force)
      FORCE=true
      shift
      ;;
    --vmid)
      [[ $# -ge 2 ]] || { usage >&2; exit 2; }
      TARGET_VMIDS+=("$2")
      shift 2
      ;;
    -h|--help)
      usage
      exit 0
      ;;
    *)
      echo "Unknown argument: $1" >&2
      usage >&2
      exit 2
      ;;
  esac
done

STATIC_FILE="${PROJECT_ROOT}/config/besu-node-lists/static-nodes.json"
SSH_OPTS="-o ConnectTimeout=8 -o StrictHostKeyChecking=accept-new"

BESU_VMIDS=(1000 1001 1002 1003 1004 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 2101 2102 2103 2201 2301 2303 2304 2305 2306 2307 2308 2400 2401 2402 2403 2420 2430 2440 2460 2470 2480)
declare -A IP_BY_VMID
IP_BY_VMID[1000]=192.168.11.100
IP_BY_VMID[1001]=192.168.11.101
IP_BY_VMID[1002]=192.168.11.102
IP_BY_VMID[1003]=192.168.11.103
IP_BY_VMID[1004]=192.168.11.104
IP_BY_VMID[1500]=192.168.11.150
IP_BY_VMID[1501]=192.168.11.151
IP_BY_VMID[1502]=192.168.11.152
IP_BY_VMID[1503]=192.168.11.153
IP_BY_VMID[1504]=192.168.11.154
IP_BY_VMID[1505]=192.168.11.213
IP_BY_VMID[1506]=192.168.11.214
IP_BY_VMID[1507]=192.168.11.244
IP_BY_VMID[1508]=192.168.11.245
IP_BY_VMID[1509]=192.168.11.219
IP_BY_VMID[1510]=192.168.11.220
IP_BY_VMID[2101]=192.168.11.211
IP_BY_VMID[2102]=192.168.11.212
IP_BY_VMID[2103]=192.168.11.217
IP_BY_VMID[2201]=192.168.11.221
IP_BY_VMID[2301]=192.168.11.232
IP_BY_VMID[2303]=192.168.11.233
IP_BY_VMID[2304]=192.168.11.234
IP_BY_VMID[2305]=192.168.11.235
IP_BY_VMID[2306]=192.168.11.236
IP_BY_VMID[2307]=192.168.11.237
IP_BY_VMID[2308]=192.168.11.238
IP_BY_VMID[2400]=192.168.11.240
IP_BY_VMID[2401]=192.168.11.241
IP_BY_VMID[2402]=192.168.11.242
IP_BY_VMID[2403]=192.168.11.243
IP_BY_VMID[2420]=192.168.11.172
IP_BY_VMID[2430]=192.168.11.173
IP_BY_VMID[2440]=192.168.11.174
IP_BY_VMID[2460]=192.168.11.246
IP_BY_VMID[2470]=192.168.11.247
IP_BY_VMID[2480]=192.168.11.248

selected_vmid() {
  local vmid="$1"
  [[ ${#TARGET_VMIDS[@]} -eq 0 ]] && return 0
  local wanted
  for wanted in "${TARGET_VMIDS[@]}"; do
    [[ "$vmid" == "$wanted" ]] && return 0
  done
  return 1
}

# Which VMIDs are missing (IP not in current static-nodes.json)
declare -A EXISTING_IP
[[ -f "$STATIC_FILE" ]] && while IFS= read -r enode; do
  [[ -z "$enode" ]] && continue
  ip=$(echo "$enode" | sed -n 's|enode://[a-fA-F0-9]*@\([0-9.]*\):.*|\1|p')
  [[ -n "$ip" ]] && EXISTING_IP[$ip]=1
done < <(jq -r '.[]' "$STATIC_FILE" 2>/dev/null)

VMIDS_TO_FIX=()
for vmid in "${BESU_VMIDS[@]}"; do
  selected_vmid "$vmid" || continue
  ip="${IP_BY_VMID[$vmid]:-}"
  [[ -z "$ip" ]] && continue
  [[ -z "${EXISTING_IP[$ip]:-}" ]] && VMIDS_TO_FIX+=( "$vmid" )
done

if [[ ${#VMIDS_TO_FIX[@]} -eq 0 ]]; then
  echo "All 32 IPs already in static-nodes.json. No keys to generate."
  exit 0
fi

echo "Generating node keys for ${#VMIDS_TO_FIX[@]} VMIDs (missing from list): ${VMIDS_TO_FIX[*]}"
echo ""

for vmid in "${VMIDS_TO_FIX[@]}"; do
  host="$(get_host_for_vmid "$vmid")"
  ip="${IP_BY_VMID[$vmid]:-}"
  [[ -z "$host" ]] && echo "  $vmid: no host" && continue
  if $DRY_RUN; then
    echo "  [dry-run] VMID $vmid @ $host: would ensure /data/besu/key (64 hex)"
    continue
  fi
  FORCE_VAL=false
  $FORCE && FORCE_VAL=true
  result=$(ssh $SSH_OPTS "root@$host" "pct exec $vmid -- bash -c '
    mkdir -p /data/besu
    FORCE_VAL=\"$FORCE_VAL\"
    if [ -f /data/besu/key ] || [ -f /data/besu/nodekey ]; then
      if [ \"\$FORCE_VAL\" != true ]; then
        echo SKIP
        exit 0
      fi
    fi
    if command -v openssl >/dev/null 2>&1; then
      openssl rand -hex 32 > /data/besu/key && chmod 600 /data/besu/key && (chown besu:besu /data/besu/key 2>/dev/null || chown root:root /data/besu/key) && echo OK
    else
      echo NOOPENSSL
      exit 1
    fi
  '" 2>/dev/null || echo "FAIL")
  if [[ "$result" == *"OK"* ]]; then
    echo "  $vmid $ip: key generated"
  elif [[ "$result" == *"SKIP"* ]]; then
    echo "  $vmid $ip: key already present (skip)"
  else
    echo "  $vmid $ip: $result"
  fi
done

echo ""
if $RUN_COLLECT && ! $DRY_RUN; then
  echo "Running collect-enodes-from-all-besu-nodes.sh --missing-only..."
  collect_args=(--apply --missing-only)
  for vmid in "${TARGET_VMIDS[@]}"; do
    collect_args+=(--vmid "$vmid")
  done
  bash "${SCRIPT_DIR}/collect-enodes-from-all-besu-nodes.sh" "${collect_args[@]}"
fi