proxmox/rpc-translator-138/DEPLOYMENT_CHECKLIST.md

# Deployment Checklist - RPC Translator Service

Use this checklist to deploy the RPC Translator service to VMIDs 2400-2402.

## Pre-Deployment Requirements

- [ ] Redis VMID 106 (192.168.11.110) deployed and accessible
- [ ] Web3Signer VMID 107 (192.168.11.111) deployed and accessible
- [ ] Vault VMID 108 (192.168.11.112) deployed and accessible (optional)
- [ ] SSH access to VMIDs 2400-2402, 106, 107, 108
- [ ] Node.js 20 LTS installed on target VMIDs
- [ ] Besu nodes running on VMIDs 2400-2402

## Phase 1: Supporting Services

### Redis Setup (VMID 106, IP: 192.168.11.110)

- [ ] Deploy Redis VMID 106
- [ ] Configure Redis IP: 192.168.11.110
- [ ] Configure Redis with appropriate IP binding (allow translator VMIPs: 240-242)
- [ ] Set Redis password (if required, recommended for production)
- [ ] Test Redis connectivity from translator VMIDs (2400-2402)
- [ ] Verify Redis is accessible on port 6379

### Web3Signer Setup (VMID 107, IP: 192.168.11.111)

- [ ] Deploy Web3Signer VMID 107
- [ ] Configure Web3Signer IP: 192.168.11.111
- [ ] Configure Web3Signer with wallet keys
- [ ] Restrict access to translator VMIPs only (240-242)
- [ ] Verify Web3Signer is accessible on port 9000
- [ ] Test Web3Signer health endpoint: `curl http://192.168.11.111:9000/upcheck`

### Vault Setup (VMID 108, IP: 192.168.11.112) (Optional)

- [ ] Deploy Vault VMID 108
- [ ] Configure Vault IP: 192.168.11.112
- [ ] Initialize Vault (if not already done)
- [ ] Configure Vault to listen on 192.168.11.112:8200
- [ ] Create AppRole for translator service
- [ ] Create translator policy in Vault
- [ ] Store translator configuration in Vault
- [ ] Get AppRole credentials (role_id, secret_id)
- [ ] Document Vault credentials securely

## Phase 2: Translator Deployment

### For Each VMID (2400, 2401, 2402)

#### 1. Initial Setup

- [ ] SSH to VMID: `ssh root@192.168.11.24X`
- [ ] Verify Node.js 20 is installed: `node --version`
- [ ] Install pnpm (if needed): `npm install -g pnpm`
- [ ] Create deployment directory: `mkdir -p /opt/rpc-translator-138`

#### 2. Deploy Application

**Option A: Using deployment script (recommended)**
- [ ] Run from project root: `./scripts/deploy-to-vmid.sh 24XX 192.168.11.24X`

**Option B: Manual deployment**
- [ ] Copy project files to VMID
- [ ] Copy to: `/opt/rpc-translator-138/`
- [ ] Install dependencies: `cd /opt/rpc-translator-138 && pnpm install --prod`
- [ ] Build TypeScript: `pnpm run build`

#### 3. Configuration

- [ ] Copy env template: `cp env.template .env`
- [ ] Edit .env file with actual values:
  - [ ] `BESU_HTTP_URLS=http://127.0.0.1:8545`
  - [ ] `BESU_WS_URLS=ws://127.0.0.1:8546`
  - [ ] `WEB3SIGNER_URL=http://192.168.11.111:9000` (VMID 107)
  - [ ] `REDIS_HOST=192.168.11.110` (VMID 106)
  - [ ] `REDIS_PORT=6379`
  - [ ] `REDIS_PASSWORD=<password-if-set>`
  - [ ] `VAULT_ADDR=http://192.168.11.112:8200` (VMID 108, if using Vault)
  - [ ] `VAULT_ROLE_ID=<role-id>` (if using Vault)
  - [ ] `VAULT_SECRET_ID=<secret-id>` (if using Vault)
  - [ ] `WALLET_ALLOWLIST=<comma-separated-addresses>`
- [ ] Validate configuration: `node scripts/validate-config.js`

#### 4. Systemd Service

- [ ] Copy systemd service file: 
  ```bash
  cp systemd/rpc-translator-138.service /etc/systemd/system/
  ```
- [ ] Reload systemd: `systemctl daemon-reload`
- [ ] Enable service: `systemctl enable rpc-translator-138.service`
- [ ] Start service: `systemctl start rpc-translator-138.service`
- [ ] Check status: `systemctl status rpc-translator-138.service`
- [ ] Check logs: `journalctl -u rpc-translator-138.service -f`

#### 5. Verification

- [ ] Test health endpoint: `curl http://localhost:9545/health`
- [ ] Test RPC endpoint: `curl -X POST http://localhost:9545 -H 'Content-Type: application/json' -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'`
- [ ] Verify service is listening on port 9545: `netstat -tulpn | grep 9545`
- [ ] Verify service is listening on port 9546: `netstat -tulpn | grep 9546`

## Phase 3: Edge Routing Configuration

### Update Cloudflare Tunnel or Nginx

- [ ] Identify current edge routing configuration
- [ ] Update routing to forward:
  - [ ] External `:8545` → `2400:9545, 2401:9545, 2402:9545`
  - [ ] External `:8546` → `2400:9546, 2401:9546, 2402:9546`
- [ ] Test external endpoint connectivity
- [ ] Verify load balancing is working

## Phase 4: Integration Testing

### Basic Functionality

- [ ] Test `eth_chainId` returns 138 (0x8a)
- [ ] Test `eth_blockNumber` returns current block
- [ ] Test `eth_gasPrice` returns gas price
- [ ] Test `eth_getTransactionCount` returns nonce
- [ ] Test `eth_estimateGas` works

### WebSocket Testing

- [ ] Connect to WebSocket endpoint
- [ ] Test `eth_subscribe` to `newHeads`
- [ ] Verify subscription messages are received
- [ ] Test `eth_unsubscribe` works

### Transaction Testing

- [ ] Prepare test transaction with allowlisted address
- [ ] Test `eth_sendTransaction` (should be intercepted)
- [ ] Verify transaction is signed via Web3Signer
- [ ] Verify transaction is submitted as `eth_sendRawTransaction`
- [ ] Verify transaction hash is returned
- [ ] Verify transaction appears in Besu

### Nonce Management Testing

- [ ] Send 5-10 concurrent transactions from same address
- [ ] Verify nonces are sequential (no collisions)
- [ ] Verify Redis locks are working
- [ ] Test nonce cache behavior

### High Availability Testing

- [ ] Stop service on one VMID (2400)
- [ ] Verify traffic routes to remaining VMIDs (2401, 2402)
- [ ] Restart service on VMID 2400
- [ ] Verify load balancing resumes
- [ ] Test failover behavior

## Phase 5: Monitoring and Maintenance

### Monitoring Setup

- [ ] Set up log aggregation (if applicable)
- [ ] Configure health check monitoring
- [ ] Set up alerts for service failures
- [ ] Monitor Redis connection status
- [ ] Monitor Web3Signer connection status
- [ ] Monitor Vault connection status (if used)

### Documentation

- [ ] Document all IP addresses and credentials (securely)
- [ ] Document service start/stop procedures
- [ ] Document troubleshooting steps
- [ ] Document rollback procedures
- [ ] Document key rotation procedures (if applicable)

## Post-Deployment

- [ ] All three VMIDs (2400-2402) are running translator service
- [ ] Edge routing is configured and working
- [ ] All integration tests pass
- [ ] Monitoring is in place
- [ ] Documentation is complete
- [ ] Team is trained on operations

## Troubleshooting Checklist

If issues occur:

- [ ] Check service status: `systemctl status rpc-translator-138.service`
- [ ] Check logs: `journalctl -u rpc-translator-138.service -n 100`
- [ ] Verify Besu is running: `systemctl status besu-rpc.service`
- [ ] Test Besu connectivity: `curl http://127.0.0.1:8545 -X POST -H 'Content-Type: application/json' -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'`
- [ ] Test Redis connectivity: `redis-cli -h 192.168.11.110 ping` (VMID 106)
- [ ] Test Web3Signer: `curl http://192.168.11.111:9000/upcheck` (VMID 107)
- [ ] Test Vault (if used): `vault status -address=http://192.168.11.112:8200` (VMID 108)
- [ ] Check firewall rules
- [ ] Verify .env configuration: `node scripts/validate-config.js`
- [ ] Check network connectivity between services

## Rollback Procedure

If deployment fails:

- [ ] Stop translator service: `systemctl stop rpc-translator-138.service`
- [ ] Disable service: `systemctl disable rpc-translator-138.service`
- [ ] Revert edge routing to point to Besu directly
- [ ] Verify Besu is accessible
- [ ] Document issues for next deployment attempt