chore: add current provisioning state before migration

taskservs/polkadot/bootnode/default/env-polkadot-bootnode.j2

@@ -0,0 +1,68 @@
+# Polkadot Bootnode Environment Configuration
+# Generated by provisioning system
+
+POLKADOT_VERSION={{ polkadot_bootnode.version }}
+POLKADOT_RUN_USER={{ polkadot_bootnode.run_user.name }}
+POLKADOT_RUN_GROUP={{ polkadot_bootnode.run_user.group }}
+POLKADOT_RUN_USER_HOME={{ polkadot_bootnode.run_user.home }}
+POLKADOT_WORK_PATH={{ polkadot_bootnode.work_path }}
+POLKADOT_CONFIG_PATH={{ polkadot_bootnode.config_path }}
+POLKADOT_BIN_PATH={{ polkadot_bootnode.bin_path }}
+POLKADOT_BASE_PATH={{ polkadot_bootnode.base_path }}
+
+# Bootnode Configuration
+POLKADOT_BOOTNODE_NAME={{ polkadot_bootnode.name }}
+{% if polkadot_bootnode.node_key_file is defined %}
+POLKADOT_NODE_KEY_FILE={{ polkadot_bootnode.node_key_file }}
+{% endif %}
+
+# Network Configuration
+POLKADOT_CHAIN={{ polkadot_bootnode.network.chain }}
+POLKADOT_LISTEN_ADDRS="{{ polkadot_bootnode.network.listen_addrs | join(',') }}"
+{% if polkadot_bootnode.network.public_addr is defined %}
+POLKADOT_PUBLIC_ADDR="{{ polkadot_bootnode.network.public_addr }}"
+{% endif %}
+POLKADOT_MAX_PEERS={{ polkadot_bootnode.network.max_peers }}
+
+# Port Configuration
+POLKADOT_P2P_PORT={{ polkadot_bootnode.network.ports.p2p_port }}
+POLKADOT_WS_PORT={{ polkadot_bootnode.network.ports.ws_port }}
+POLKADOT_WSS_PORT={{ polkadot_bootnode.network.ports.wss_port }}
+
+# External Addresses
+{% if polkadot_bootnode.network.external_addresses %}
+POLKADOT_EXTERNAL_ADDRESSES="{{ polkadot_bootnode.network.external_addresses | join(',') }}"
+{% endif %}
+
+# Execution and Performance
+POLKADOT_EXECUTION={{ polkadot_bootnode.execution }}
+POLKADOT_STATE_CACHE_SIZE={{ polkadot_bootnode.state_cache_size }}
+
+# Logging Configuration
+POLKADOT_LOG_LEVEL={{ polkadot_bootnode.log_level }}
+{% if polkadot_bootnode.log_targets %}
+POLKADOT_LOG_TARGETS="{{ polkadot_bootnode.log_targets | join(',') }}"
+{% endif %}
+
+# Telemetry Configuration
+POLKADOT_TELEMETRY_ENABLED={{ polkadot_bootnode.telemetry.enabled | lower }}
+POLKADOT_TELEMETRY_URL="{{ polkadot_bootnode.telemetry.url }}"
+POLKADOT_TELEMETRY_VERBOSITY={{ polkadot_bootnode.telemetry.verbosity }}
+
+# WSS Configuration
+POLKADOT_WSS_ENABLED={{ polkadot_bootnode.wss.enabled | lower }}
+{% if polkadot_bootnode.wss.enabled %}
+POLKADOT_WSS_DOMAIN="{{ polkadot_bootnode.wss.domain }}"
+POLKADOT_WSS_PROXY_TYPE={{ polkadot_bootnode.wss.proxy_type }}
+POLKADOT_WSS_RATE_LIMIT={{ polkadot_bootnode.wss.rate_limit }}
+
+# SSL Configuration for WSS
+POLKADOT_SSL_ENABLED={{ polkadot_bootnode.wss.ssl.enabled | lower }}
+{% if polkadot_bootnode.wss.ssl.enabled %}
+POLKADOT_SSL_CERT_FILE="{{ polkadot_bootnode.wss.ssl.cert_file }}"
+POLKADOT_SSL_KEY_FILE="{{ polkadot_bootnode.wss.ssl.key_file }}"
+{% if polkadot_bootnode.wss.ssl.ca_file is defined %}
+POLKADOT_SSL_CA_FILE="{{ polkadot_bootnode.wss.ssl.ca_file }}"
+{% endif %}
+{% endif %}
+{% endif %}

taskservs/polkadot/bootnode/default/install-polkadot-bootnode.sh

@@ -0,0 +1,295 @@
+#!/bin/bash
+# Info: Script to install Polkadot Bootnode
+# Author: Provisioning System
+# Release: 1.0
+# Date: 2025-07-24
+
+USAGE="install-polkadot-bootnode.sh"
+[ "$1" == "-h" ] && echo "$USAGE" && exit 1
+
+[ -r "env-polkadot-bootnode" ] && . ./env-polkadot-bootnode
+
+POLKADOT_VERSION=${POLKADOT_VERSION:-latest}
+POLKADOT_CHAIN=${POLKADOT_CHAIN:-polkadot}
+
+# Determine architecture
+ARCH="$(uname -m)"
+case $ARCH in
+    x86_64) ARCH="x86_64" ;;
+    aarch64) ARCH="aarch64" ;;
+    *) echo "Unsupported architecture: $ARCH" && exit 1 ;;
+esac
+
+# Set download URL based on version
+if [ "$POLKADOT_VERSION" = "latest" ]; then
+    POLKADOT_URL="https://github.com/paritytech/polkadot/releases/latest/download"
+    POLKADOT_BINARY="polkadot"
+else
+    POLKADOT_URL="https://github.com/paritytech/polkadot/releases/download/${POLKADOT_VERSION}"
+    POLKADOT_BINARY="polkadot"
+fi
+
+POLKADOT_BIN_PATH=${POLKADOT_BIN_PATH:-/usr/local/bin/polkadot}
+POLKADOT_SYSTEMCTL_MODE=${POLKADOT_SYSTEMCTL_MODE:-enabled}
+
+POLKADOT_CONFIG_PATH=${POLKADOT_CONFIG_PATH:-/etc/polkadot-bootnode}
+POLKADOT_WORK_PATH=${POLKADOT_WORK_PATH:-/var/lib/polkadot-bootnode}
+POLKADOT_BASE_PATH=${POLKADOT_BASE_PATH:-/var/lib/polkadot-bootnode/data}
+
+POLKADOT_RUN_USER=${POLKADOT_RUN_USER:-polkadot}
+POLKADOT_RUN_GROUP=${POLKADOT_RUN_GROUP:-polkadot}
+POLKADOT_RUN_USER_HOME=${POLKADOT_RUN_USER_HOME:-/home/polkadot}
+
+POLKADOT_BOOTNODE_NAME=${POLKADOT_BOOTNODE_NAME:-polkadot-bootnode}
+POLKADOT_P2P_PORT=${POLKADOT_P2P_PORT:-30310}
+POLKADOT_WS_PORT=${POLKADOT_WS_PORT:-30311}
+POLKADOT_WSS_PORT=${POLKADOT_WSS_PORT:-30312}
+
+echo "Installing Polkadot Bootnode ${POLKADOT_VERSION}..."
+
+# Install dependencies
+echo "Installing dependencies..."
+if command -v apt-get >/dev/null 2>&1; then
+    apt-get update
+    apt-get install -y curl ca-certificates jq nginx certbot python3-certbot-nginx
+elif command -v yum >/dev/null 2>&1; then
+    yum update -y
+    yum install -y curl ca-certificates jq nginx certbot python3-certbot-nginx
+elif command -v dnf >/dev/null 2>&1; then
+    dnf update -y
+    dnf install -y curl ca-certificates jq nginx certbot python3-certbot-nginx
+else
+    echo "Package manager not found. Please install dependencies manually."
+    exit 1
+fi
+
+# Create user and group
+if ! id "$POLKADOT_RUN_USER" &>/dev/null; then
+    groupadd -r "$POLKADOT_RUN_GROUP"
+    useradd -r -g "$POLKADOT_RUN_GROUP" -d "$POLKADOT_RUN_USER_HOME" -s /bin/bash -c "Polkadot bootnode service user" "$POLKADOT_RUN_USER"
+fi
+
+# Create directories
+mkdir -p "$POLKADOT_CONFIG_PATH"
+mkdir -p "$POLKADOT_WORK_PATH"
+mkdir -p "$POLKADOT_BASE_PATH"
+mkdir -p "$POLKADOT_RUN_USER_HOME"
+
+# Download and install Polkadot binary
+cd /tmp
+echo "Downloading Polkadot binary from ${POLKADOT_URL}/${POLKADOT_BINARY}..."
+curl -L -o polkadot "${POLKADOT_URL}/${POLKADOT_BINARY}"
+
+if [ ! -f "polkadot" ]; then
+    echo "Failed to download Polkadot binary"
+    exit 1
+fi
+
+# Install binary
+chmod +x polkadot
+mv polkadot "$(dirname "$POLKADOT_BIN_PATH")/"
+
+# Generate node key for bootnode
+echo "Generating bootnode key..."
+NODE_KEY_FILE="${POLKADOT_NODE_KEY_FILE:-$POLKADOT_CONFIG_PATH/node-key}"
+"$POLKADOT_BIN_PATH" key generate-node-key --file "$NODE_KEY_FILE"
+
+# Extract peer ID from node key
+PEER_ID=$("$POLKADOT_BIN_PATH" key inspect-node-key --file "$NODE_KEY_FILE")
+echo "Bootnode Peer ID: $PEER_ID"
+
+# Save peer ID for reference
+echo "$PEER_ID" > "$POLKADOT_CONFIG_PATH/peer-id"
+
+# Set ownership
+chown -R "$POLKADOT_RUN_USER:$POLKADOT_RUN_GROUP" "$POLKADOT_WORK_PATH"
+chown -R "$POLKADOT_RUN_USER:$POLKADOT_RUN_GROUP" "$POLKADOT_BASE_PATH"
+chown -R "$POLKADOT_RUN_USER:$POLKADOT_RUN_GROUP" "$POLKADOT_RUN_USER_HOME"
+chown -R "$POLKADOT_RUN_USER:$POLKADOT_RUN_GROUP" "$POLKADOT_CONFIG_PATH"
+
+# Build bootnode arguments
+BOOTNODE_ARGS="--chain $POLKADOT_CHAIN"
+BOOTNODE_ARGS="$BOOTNODE_ARGS --name $POLKADOT_BOOTNODE_NAME"
+BOOTNODE_ARGS="$BOOTNODE_ARGS --base-path $POLKADOT_BASE_PATH"
+BOOTNODE_ARGS="$BOOTNODE_ARGS --node-key-file $NODE_KEY_FILE"
+
+# Network configuration - bootnode specific ports
+BOOTNODE_ARGS="$BOOTNODE_ARGS --listen-addr /ip4/0.0.0.0/tcp/$POLKADOT_P2P_PORT"
+BOOTNODE_ARGS="$BOOTNODE_ARGS --listen-addr /ip4/0.0.0.0/tcp/$POLKADOT_WS_PORT/ws"
+
+# Public address configuration
+if [ -n "$POLKADOT_PUBLIC_ADDR" ]; then
+    BOOTNODE_ARGS="$BOOTNODE_ARGS --public-addr $POLKADOT_PUBLIC_ADDR"
+fi
+
+# External addresses
+if [ -n "$POLKADOT_EXTERNAL_ADDRESSES" ]; then
+    IFS=',' read -ra EXTERNALS <<< "$POLKADOT_EXTERNAL_ADDRESSES"
+    for external in "${EXTERNALS[@]}"; do
+        BOOTNODE_ARGS="$BOOTNODE_ARGS --public-addr $external"
+    done
+fi
+
+# Performance settings
+BOOTNODE_ARGS="$BOOTNODE_ARGS --execution ${POLKADOT_EXECUTION:-wasm}"
+BOOTNODE_ARGS="$BOOTNODE_ARGS --state-cache-size ${POLKADOT_STATE_CACHE_SIZE:-67108864}"
+
+# Telemetry
+if [ "${POLKADOT_TELEMETRY_ENABLED:-true}" = "true" ]; then
+    BOOTNODE_ARGS="$BOOTNODE_ARGS --telemetry-url '${POLKADOT_TELEMETRY_URL:-wss://telemetry.polkadot.io/submit/} ${POLKADOT_TELEMETRY_VERBOSITY:-0}'"
+fi
+
+# Logging
+LOG_CONFIG="${POLKADOT_LOG_LEVEL:-info}"
+if [ -n "$POLKADOT_LOG_TARGETS" ]; then
+    LOG_CONFIG="$LOG_CONFIG,${POLKADOT_LOG_TARGETS}"
+fi
+BOOTNODE_ARGS="$BOOTNODE_ARGS --log $LOG_CONFIG"
+
+# Create systemd service file
+cat > /etc/systemd/system/polkadot-bootnode.service << EOF
+[Unit]
+Description=Polkadot Bootnode
+Documentation=https://docs.polkadot.network/
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=$POLKADOT_RUN_USER
+Group=$POLKADOT_RUN_GROUP
+Environment=RUST_LOG=${POLKADOT_LOG_LEVEL:-info}
+WorkingDirectory=$POLKADOT_WORK_PATH
+ExecStart=$POLKADOT_BIN_PATH $BOOTNODE_ARGS
+Restart=always
+RestartSec=10
+
+# Security settings
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=$POLKADOT_WORK_PATH $POLKADOT_BASE_PATH $POLKADOT_CONFIG_PATH
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+# Resource limits
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Setup WSS proxy if enabled
+if [ "${POLKADOT_WSS_ENABLED:-false}" = "true" ]; then
+    echo "Setting up secure WebSocket proxy for bootnode..."
+    
+    # Create nginx configuration for bootnode WSS
+    cat > /etc/nginx/sites-available/polkadot-bootnode-wss << EOF
+server {
+    listen ${POLKADOT_WSS_PORT} ssl http2;
+    server_name ${POLKADOT_WSS_DOMAIN};
+
+    # SSL configuration
+    ssl_certificate ${POLKADOT_SSL_CERT_FILE};
+    ssl_certificate_key ${POLKADOT_SSL_KEY_FILE};
+    
+    # SSL settings
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # Rate limiting for bootnode
+    limit_req_zone \$binary_remote_addr zone=bootnode_limit:10m rate=${POLKADOT_WSS_RATE_LIMIT:-1000}r/m;
+    limit_req zone=bootnode_limit burst=50 nodelay;
+
+    location / {
+        proxy_pass http://127.0.0.1:$POLKADOT_WS_PORT;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+        
+        # WebSocket specific
+        proxy_read_timeout 86400;
+        proxy_send_timeout 86400;
+    }
+}
+EOF
+
+    # Enable site
+    ln -sf /etc/nginx/sites-available/polkadot-bootnode-wss /etc/nginx/sites-enabled/
+    
+    # Test nginx configuration
+    nginx -t && systemctl restart nginx
+fi
+
+# Create bootnode info file
+cat > "$POLKADOT_CONFIG_PATH/bootnode-info.json" << EOF
+{
+  "peer_id": "$PEER_ID",
+  "chain": "$POLKADOT_CHAIN",
+  "name": "$POLKADOT_BOOTNODE_NAME",
+  "p2p_port": $POLKADOT_P2P_PORT,
+  "ws_port": $POLKADOT_WS_PORT,
+  "wss_port": $POLKADOT_WSS_PORT,
+  "public_addr": "${POLKADOT_PUBLIC_ADDR:-}",
+  "wss_enabled": ${POLKADOT_WSS_ENABLED:-false},
+  "wss_domain": "${POLKADOT_WSS_DOMAIN:-}",
+  "connections": {
+    "p2p": "/ip4/YOUR_IP/tcp/$POLKADOT_P2P_PORT/p2p/$PEER_ID",
+    "ws": "/ip4/YOUR_IP/tcp/$POLKADOT_WS_PORT/ws/p2p/$PEER_ID",
+    "wss": "$([ "${POLKADOT_WSS_ENABLED:-false}" = "true" ] && echo "wss://${POLKADOT_WSS_DOMAIN}:${POLKADOT_WSS_PORT}" || echo "N/A")"
+  }
+}
+EOF
+
+# Enable and start service
+systemctl daemon-reload
+systemctl "$POLKADOT_SYSTEMCTL_MODE" polkadot-bootnode.service
+
+if [ "$POLKADOT_SYSTEMCTL_MODE" = "enabled" ]; then
+    systemctl start polkadot-bootnode.service
+    
+    # Wait a moment for service to start
+    sleep 5
+fi
+
+echo "=========================================="
+echo "Polkadot Bootnode installation completed!"
+echo "=========================================="
+echo "Service: polkadot-bootnode.service"
+echo "Chain: $POLKADOT_CHAIN"
+echo "Bootnode name: $POLKADOT_BOOTNODE_NAME"
+echo "Peer ID: $PEER_ID"
+echo ""
+echo "Connection endpoints:"
+echo "P2P:      /ip4/YOUR_IP/tcp/$POLKADOT_P2P_PORT/p2p/$PEER_ID"
+echo "WS:       /ip4/YOUR_IP/tcp/$POLKADOT_WS_PORT/ws/p2p/$PEER_ID"
+
+if [ "${POLKADOT_WSS_ENABLED:-false}" = "true" ]; then
+    echo "WSS:      wss://${POLKADOT_WSS_DOMAIN}:${POLKADOT_WSS_PORT}"
+fi
+
+echo ""
+echo "Configuration: $POLKADOT_CONFIG_PATH/"
+echo "Node key: $NODE_KEY_FILE"
+echo "Bootnode info: $POLKADOT_CONFIG_PATH/bootnode-info.json"
+
+# Display service status
+if systemctl is-active --quiet polkadot-bootnode.service; then
+    echo "✅ Polkadot bootnode service is running"
+else
+    echo "⚠️  Polkadot bootnode service status:"
+    systemctl status polkadot-bootnode.service --no-pager -l
+fi
+
+echo ""
+echo "To use this bootnode, add the following to other nodes:"
+echo "--bootnode /ip4/YOUR_IP/tcp/$POLKADOT_P2P_PORT/p2p/$PEER_ID"
+
+# Cleanup
+cd /
+rm -rf /tmp/polkadot

taskservs/polkadot/bootnode/default/prepare

@@ -0,0 +1,125 @@
+#!/bin/bash
+# Info: Polkadot Bootnode preparation script
+# Author: Provisioning System
+# Release: 1.0
+
+echo "Preparing Polkadot Bootnode installation..."
+
+# Load environment variables
+[ -r "env-polkadot-bootnode" ] && . ./env-polkadot-bootnode
+
+# Check if required tools are available
+command -v curl >/dev/null 2>&1 || { echo "curl is required but not installed." >&2; exit 1; }
+command -v systemctl >/dev/null 2>&1 || { echo "systemctl is required but not installed." >&2; exit 1; }
+
+# Validate configuration
+if [ -z "$POLKADOT_VERSION" ]; then
+    echo "POLKADOT_VERSION must be set" >&2
+    exit 1
+fi
+
+# Validate chain
+case "${POLKADOT_CHAIN:-polkadot}" in
+    "polkadot"|"kusama"|"westend")
+        echo "Chain: ${POLKADOT_CHAIN}"
+        ;;
+    *)
+        echo "Invalid chain: ${POLKADOT_CHAIN}" >&2
+        exit 1
+        ;;
+esac
+
+# Check bootnode port availability
+BOOTNODE_PORTS=(
+    "${POLKADOT_P2P_PORT:-30310}"
+    "${POLKADOT_WS_PORT:-30311}"
+    "${POLKADOT_WSS_PORT:-30312}"
+)
+
+for port in "${BOOTNODE_PORTS[@]}"; do
+    if command -v netstat >/dev/null 2>&1; then
+        if netstat -tuln | grep -q ":$port "; then
+            echo "Warning: Bootnode port $port appears to be in use"
+        fi
+    elif command -v ss >/dev/null 2>&1; then
+        if ss -tuln | grep -q ":$port "; then
+            echo "Warning: Bootnode port $port appears to be in use"
+        fi
+    fi
+done
+
+# Validate port uniqueness
+P2P_PORT=${POLKADOT_P2P_PORT:-30310}
+WS_PORT=${POLKADOT_WS_PORT:-30311}
+WSS_PORT=${POLKADOT_WSS_PORT:-30312}
+
+if [ "$P2P_PORT" = "$WS_PORT" ] || [ "$P2P_PORT" = "$WSS_PORT" ] || [ "$WS_PORT" = "$WSS_PORT" ]; then
+    echo "Error: Bootnode ports must be unique" >&2
+    echo "P2P: $P2P_PORT, WS: $WS_PORT, WSS: $WSS_PORT" >&2
+    exit 1
+fi
+
+# Validate WSS configuration for bootnode
+if [ "${POLKADOT_WSS_ENABLED:-false}" = "true" ]; then
+    if [ -z "$POLKADOT_WSS_DOMAIN" ]; then
+        echo "Error: WSS enabled but domain not configured" >&2
+        exit 1
+    fi
+    
+    if [ "${POLKADOT_SSL_ENABLED:-false}" != "true" ]; then
+        echo "Error: WSS requires SSL to be enabled" >&2
+        exit 1
+    fi
+    
+    if [ -z "$POLKADOT_SSL_CERT_FILE" ] || [ -z "$POLKADOT_SSL_KEY_FILE" ]; then
+        echo "Error: SSL certificate files not configured" >&2
+        exit 1
+    fi
+    
+    echo "Bootnode WSS configuration validated for domain: $POLKADOT_WSS_DOMAIN"
+fi
+
+# Check if nginx is needed for WSS
+if [ "${POLKADOT_WSS_ENABLED:-false}" = "true" ]; then
+    if ! command -v nginx >/dev/null 2>&1; then
+        echo "nginx will be installed for WSS proxy support"
+    fi
+fi
+
+# Validate public address format if provided
+if [ -n "$POLKADOT_PUBLIC_ADDR" ]; then
+    if ! echo "$POLKADOT_PUBLIC_ADDR" | grep -qE '^/ip[46]/.*'; then
+        echo "Warning: Public address format may be incorrect: $POLKADOT_PUBLIC_ADDR"
+        echo "Expected format: /ip4/YOUR_IP/tcp/PORT or /ip6/YOUR_IP/tcp/PORT"
+    fi
+fi
+
+# Check available disk space (bootnode needs minimal space)
+AVAILABLE_SPACE=$(df "${POLKADOT_BASE_PATH:-/var/lib/polkadot-bootnode/data}" 2>/dev/null | awk 'NR==2 {print $4}' || echo "0")
+REQUIRED_SPACE=1000000  # 1GB should be enough for bootnode
+if [ "$AVAILABLE_SPACE" -ne "0" ] && [ "$AVAILABLE_SPACE" -lt "$REQUIRED_SPACE" ]; then
+    echo "Warning: Low disk space for bootnode"
+    echo "Available: $(($AVAILABLE_SPACE / 1024))MB, Recommended: $(($REQUIRED_SPACE / 1024))MB"
+fi
+
+# Check memory requirements (bootnode is lightweight)
+if command -v free >/dev/null 2>&1; then
+    FREE_MEMORY=$(free -m | awk '/^Mem:/{print $7}')
+    MIN_MEMORY=512  # Bootnode needs minimal memory
+    
+    if [ "$FREE_MEMORY" -lt "$MIN_MEMORY" ]; then
+        echo "Warning: Very low memory for bootnode"
+        echo "Available: ${FREE_MEMORY}MB, Minimum: ${MIN_MEMORY}MB"
+    fi
+fi
+
+echo "Preparation completed successfully."
+echo ""
+echo "Bootnode configuration:"
+echo "- Chain: ${POLKADOT_CHAIN:-polkadot}"
+echo "- P2P port: ${POLKADOT_P2P_PORT:-30310}"
+echo "- WS port: ${POLKADOT_WS_PORT:-30311}"
+echo "- WSS port: ${POLKADOT_WSS_PORT:-30312}"
+echo "- WSS enabled: ${POLKADOT_WSS_ENABLED:-false}"
+echo "- Public address: ${POLKADOT_PUBLIC_ADDR:-auto-detect}"
+echo "- Data path: ${POLKADOT_BASE_PATH:-/var/lib/polkadot-bootnode/data}"

taskservs/polkadot/bootnode/default/provisioning.toml

@@ -0,0 +1,2 @@
+info = "polkadot-bootnode"
+release = "1.0"

taskservs/polkadot/bootnode/default/setup-ssl.sh.j2

@@ -0,0 +1,108 @@
+#!/bin/bash
+# Info: SSL setup script for Polkadot Bootnode WSS
+# Author: Provisioning System
+
+set -e
+
+DOMAIN="{{ polkadot_bootnode.wss.domain }}"
+SSL_CERT_FILE="{{ polkadot_bootnode.wss.ssl.cert_file }}"
+SSL_KEY_FILE="{{ polkadot_bootnode.wss.ssl.key_file }}"
+EMAIL=${SSL_EMAIL:-admin@${DOMAIN}}
+
+echo "Setting up SSL certificates for Polkadot Bootnode WSS..."
+
+# Function to setup Let's Encrypt certificate
+setup_letsencrypt() {
+    echo "Setting up Let's Encrypt certificate for $DOMAIN..."
+    
+    # Stop nginx temporarily
+    systemctl stop nginx 2>/dev/null || true
+    
+    # Generate certificate
+    certbot certonly --standalone \
+        --non-interactive \
+        --agree-tos \
+        --email "$EMAIL" \
+        -d "$DOMAIN"
+    
+    # Copy certificates to expected locations
+    cp "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" "$SSL_CERT_FILE"
+    cp "/etc/letsencrypt/live/$DOMAIN/privkey.pem" "$SSL_KEY_FILE"
+    
+    # Set proper permissions
+    chmod 644 "$SSL_CERT_FILE"
+    chmod 600 "$SSL_KEY_FILE"
+    chown root:root "$SSL_CERT_FILE" "$SSL_KEY_FILE"
+    
+    echo "Let's Encrypt certificate installed successfully"
+}
+
+# Function to generate self-signed certificate
+setup_selfsigned() {
+    echo "Generating self-signed certificate for $DOMAIN..."
+    
+    openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+        -keyout "$SSL_KEY_FILE" \
+        -out "$SSL_CERT_FILE" \
+        -subj "/C=US/ST=State/L=City/O=Organization/CN=$DOMAIN"
+    
+    # Set proper permissions
+    chmod 644 "$SSL_CERT_FILE"
+    chmod 600 "$SSL_KEY_FILE"
+    chown root:root "$SSL_CERT_FILE" "$SSL_KEY_FILE"
+    
+    echo "Self-signed certificate generated successfully"
+}
+
+# Create certificate directories
+mkdir -p "$(dirname "$SSL_CERT_FILE")"
+mkdir -p "$(dirname "$SSL_KEY_FILE")"
+
+# Setup certificate based on preference
+case "${SSL_METHOD:-letsencrypt}" in
+    "letsencrypt")
+        setup_letsencrypt
+        ;;
+    "selfsigned")
+        setup_selfsigned
+        ;;
+    *)
+        echo "Invalid SSL method: ${SSL_METHOD}"
+        echo "Use 'letsencrypt' or 'selfsigned'"
+        exit 1
+        ;;
+esac
+
+# Verify certificates
+if [ -f "$SSL_CERT_FILE" ] && [ -f "$SSL_KEY_FILE" ]; then
+    echo "SSL certificates installed:"
+    echo "Certificate: $SSL_CERT_FILE"
+    echo "Private key: $SSL_KEY_FILE"
+    
+    # Test certificate
+    openssl x509 -in "$SSL_CERT_FILE" -noout -text | grep -E "(Subject:|Issuer:|Not After:)"
+else
+    echo "Error: SSL certificate setup failed"
+    exit 1
+fi
+
+# Setup certificate renewal for Let's Encrypt
+if [ "${SSL_METHOD:-letsencrypt}" = "letsencrypt" ]; then
+    # Create renewal hook
+    cat > /etc/letsencrypt/renewal-hooks/deploy/polkadot-bootnode.sh << 'EOF'
+#!/bin/bash
+# Copy renewed certificates
+cp "/etc/letsencrypt/live/{{ polkadot_bootnode.wss.domain }}/fullchain.pem" "{{ polkadot_bootnode.wss.ssl.cert_file }}"
+cp "/etc/letsencrypt/live/{{ polkadot_bootnode.wss.domain }}/privkey.pem" "{{ polkadot_bootnode.wss.ssl.key_file }}"
+
+# Reload nginx
+systemctl reload nginx
+
+echo "Polkadot Bootnode SSL certificates renewed"
+EOF
+    
+    chmod +x /etc/letsencrypt/renewal-hooks/deploy/polkadot-bootnode.sh
+    echo "Certificate auto-renewal configured"
+fi
+
+echo "SSL setup completed successfully!"