Runbook (mpabi): Agave RPC (mainnet, private) + Geyser plugin -> Postgres

Cel:
- Na mpabi odpalic prywatny Agave RPC (non-voting) po WireGuard (wg0).
- Zbudowac Agave ze zrodel (pinned release).
- (Po starcie) dodac Geyser plugin zapisujacy do PostgreSQL.

Skrot (kolejnosc):
1) Preconditions: WG + UFW (SSH tylko po wg0).
2) Storage: SOLACCT->/var/lib/solana/accounts, SOLLEDG->/var/lib/solana/ledger (+ decyzja: wipe czy kontynuacja).
3) Pakiety + sysctl/limits.
4) /opt/solana/bin: Anza tools (solana-keygen itd.).
5) Build Agave ze zrodel (pin tag) + install do /opt/solana/bin/agave-validator.
6) Identity (0600).
7) Genesis + snapshot (mainnet).
8) Systemd: agave-validator (User=solana) + RPC smoke test po WG.
9) Geyser plugin -> Postgres + dopiecie do systemd + weryfikacja.

Konwencja:
- Komendy uruchamiasz jako user: `user` (z sudo).
- Validator dziala jako uzytkownik systemowy: `solana`.
- Biny instalujemy do /opt/solana/bin (root-owned, stabilne sciezki).
- Dane runtime:
  - ledger:   /var/lib/solana/ledger   (SOLLEDG = /dev/nvme1n1p1)
  - accounts: /var/lib/solana/accounts (SOLACCT = /dev/nvme0n1p1)

Parametry hosta (mpabi):
- Public iface: enp6s0, public IP: 149.50.116.219
- WireGuard iface: wg0, WG IP: 10.66.66.1
- RPC: 8899, WS: 8900
- Cluster inbound UDP: 8000-8020 (na public)

=====================
0) Preconditions
=====================
1) WireGuard up:
   ip -4 a show wg0
   wg show

2) SSH powinno byc tylko po wg0 (defense-in-depth):
   sudo ufw status verbose

3) Upewnij sie, ze masz sudo do operacji operatorskich (systemctl/journalctl/ufw).

=====================
1) Storage: mount SOLACCT/SOLLEDG
=====================
UWAGA: ten wariant NIE formatuje dyskow (bez kasowania), tylko montuje istniejace XFS.

UUIDs (wg lsblk -f):
- SOLACCT: 055bf4e7-00f0-45a0-a995-2413b14428c4  (/dev/nvme0n1p1)
- SOLLEDG: 6ac7a8c6-efc7-4803-a3dc-a66ea2ef0125  (/dev/nvme1n1p1)

1) (Opcjonalnie) obejrzyj co zajmuje SOLLEDG (zanim podepniesz pod /var/lib/solana/ledger):
   sudo mkdir -p /mnt/solledg
   sudo mount /dev/nvme1n1p1 /mnt/solledg
   sudo du -sh /mnt/solledg/* 2>/dev/null | sort -h | tail
   sudo umount /mnt/solledg

2) Utworz usera solana + mountpointy:
   sudo getent group solana >/dev/null || sudo groupadd --system solana
   sudo id -u solana >/dev/null 2>&1 || sudo useradd --system --gid solana \
     --home-dir /var/lib/solana --create-home --shell /bin/bash solana

   sudo install -d -o solana -g solana -m 0750 /var/lib/solana/accounts /var/lib/solana/ledger

3) Dodaj wpisy do /etc/fstab (sprawdz czy nie ma juz duplikatow):
   grep -nE '(/var/lib/solana/(accounts|ledger))' /etc/fstab || true

   UUID_ACCTS="055bf4e7-00f0-45a0-a995-2413b14428c4"
   UUID_LEDGER="6ac7a8c6-efc7-4803-a3dc-a66ea2ef0125"

   echo "UUID=$UUID_ACCTS /var/lib/solana/accounts xfs noatime,nodiratime 0 2" | sudo tee -a /etc/fstab >/dev/null
   echo "UUID=$UUID_LEDGER /var/lib/solana/ledger   xfs noatime,nodiratime 0 2" | sudo tee -a /etc/fstab >/dev/null

   sudo mount -a
   sudo systemctl daemon-reload

4) Permissions (krytyczne):
   sudo chown solana:solana /var/lib/solana/accounts /var/lib/solana/ledger
   sudo chmod 750 /var/lib/solana/accounts /var/lib/solana/ledger

5) Verify:
   df -hT /var/lib/solana/accounts /var/lib/solana/ledger
   findmnt /var/lib/solana/accounts
   findmnt /var/lib/solana/ledger
   stat -c '%U:%G %a %n' /var/lib/solana/accounts /var/lib/solana/ledger

DECYZJA: co robimy z SOLLEDG (63% used)?
- Opcja A: zostawiamy (jesli to stary ledger Solany i chcesz kontynuowac).
- Opcja B: czyscimy i robimy sync od nowa (destrukcyjne, rekomendowane dla powtarzalnosci):
  sudo systemctl stop agave-validator 2>/dev/null || true
  sudo -u solana -H bash -lc '
    cd /var/lib/solana/ledger
    rm -rf rocksdb snapshots accounts_index accounts_hash_cache admin.rpc ledger.lock
  '

=====================
2) Pakiety + sysctl/limits
=====================
1) Pakiety:
   sudo apt-get update
   sudo apt-get install -y \
     chrony curl jq git ca-certificates ripgrep \
     smartmontools nvme-cli \
     build-essential pkg-config libssl-dev \
     clang llvm-dev libclang-dev \
     cmake protobuf-compiler libudev-dev zlib1g-dev

2) Sysctl:
   sudo tee /etc/sysctl.d/90-agave.conf >/dev/null <<'EOF'
fs.file-max = 2000000
vm.max_map_count = 1000000
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 250000
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
EOF
   sudo sysctl --system

3) ulimit:
   sudo tee /etc/security/limits.d/90-solana.conf >/dev/null <<'EOF'
* soft nofile 1000000
* hard nofile 1000000
EOF

=====================
3) Firewall (UFW) dla prywatnego RPC
=====================
Docelowo:
- SSH 22/tcp: tylko wg0
- RPC 8899/tcp, WS 8900/tcp: tylko wg0 (dodatkowo bind na 10.66.66.1)
- WireGuard: 51820/udp (public)
- Cluster sync: 8000-8020/udp (public)

Komendy (jesli jeszcze nie ustawione):
  sudo ufw default deny incoming
  sudo ufw default allow outgoing
  sudo ufw allow 51820/udp

  sudo ufw allow in on wg0 to any port 22 proto tcp
  sudo ufw deny  in on enp6s0 to any port 22 proto tcp

  sudo ufw allow in on wg0 to any port 8899 proto tcp
  sudo ufw allow in on wg0 to any port 8900 proto tcp
  sudo ufw deny  in on enp6s0 to any port 8899 proto tcp
  sudo ufw deny  in on enp6s0 to any port 8900 proto tcp

  sudo ufw allow in on enp6s0 to any port 8000:8020 proto udp

  sudo ufw enable
  sudo ufw status verbose

=====================
4) Instalacja narzedzi Solana/Anza do /opt/solana/bin
=====================
1) Installer (jako solana):
   sudo install -d -o root -g root -m 0755 /opt/solana/bin
   sudo -u solana -H bash -lc 'sh -c "$(curl -sSfL https://release.anza.xyz/stable/install)"'

2) Skopiuj biny do /opt/solana/bin:
   sudo cp -a /var/lib/solana/.local/share/solana/install/active_release/bin/. /opt/solana/bin/
   sudo find /opt/solana/bin -maxdepth 1 -type f -exec chmod 0755 {} \;

3) Verify:
   /opt/solana/bin/solana --version || true
   /opt/solana/bin/solana-keygen --version

=====================
5) Build + install agave-validator (pinned latest stable)
=====================
Patrz:
- trade-iac/doc/step-002f-agave-build-from-source-latest.txt

Skrót:
1) Wybierz TAG (np. v3.0.x) i zbuduj jako solana do /var/lib/solana/src/
2) Zainstaluj binarke do /opt/solana/bin/agave-validator
3) Verify:
   /opt/solana/bin/agave-validator --version

=====================
6) Identity
=====================
1) Utworz raz:
   if [ ! -f /var/lib/solana/identity.json ]; then
     sudo -u solana -H /opt/solana/bin/solana-keygen new --no-passphrase -o /var/lib/solana/identity.json
     sudo chown solana:solana /var/lib/solana/identity.json
     sudo chmod 0600 /var/lib/solana/identity.json
   fi

2) Zapisz pubkey do notatek:
   sudo -u solana -H /opt/solana/bin/solana-keygen pubkey /var/lib/solana/identity.json

=====================
7) Genesis + snapshot (mainnet)
=====================
1) Genesis:
   patrz: trade-iac/doc/step-002c-genesis-download-mainnet.txt

2) Snapshot (wymagany na mainnet):
   patrz: trade-iac/doc/step-002d-snapshot-download-mainnet.txt

=====================
8) Systemd: agave-validator (RPC-only)
=====================
Unit template:
- trade-iac/doc/step-002b-agave-validator-systemd.txt

Wazne:
- `User=solana`
- `--rpc-bind-address 10.66.66.1`
- `--private-rpc`
- nie uzywaj `\\` w ExecStart (tylko pojedynczy `\` na koncu linii)

Start/verify:
  sudo systemctl daemon-reload
  sudo systemctl enable --now agave-validator
  systemctl is-active agave-validator
  sudo journalctl -u agave-validator -n 120 --no-pager

RPC smoke test (po WG):
  curl -sS -H 'content-type: application/json' \
    --data '{"jsonrpc":"2.0","id":1,"method":"getVersion"}' \
    http://10.66.66.1:8899 | jq .

Manual run (exports + komenda w plikach na mpabi):
  # Zawiera "solana export" (PATH + SOLANA_RPC_URL) i helper `agave_run()`:
  # - /etc/solana/agave-env.sh
  # - /etc/solana/agave-validator.args
  sudo -u solana -H bash -lc 'source /etc/solana/agave-env.sh; agave_run'

=====================
9) Geyser plugin -> PostgreSQL
=====================
Krok po kroku:
- trade-iac/doc/step-003-geyser-plugin-postgres.txt

Skrót:
1) Postgres:
   sudo apt-get install -y postgresql
   sudo systemctl enable --now postgresql

2) DB/user:
   sudo -u postgres psql -v ON_ERROR_STOP=1 <<'SQL'
   DO $$
   BEGIN
     IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'geyser') THEN
       CREATE ROLE geyser LOGIN PASSWORD 'CHANGE_ME';
     END IF;
   END $$;
   CREATE DATABASE geyser OWNER geyser;
   SQL

3) Build plugin (.so) i instaluj do /opt/solana/plugins/
4) Skopiuj example JSON config do /etc/solana/geyser-postgres.json, ustaw DSN, selektory.
5) Dopisz do unit ExecStart:
     --geyser-plugin-config /etc/solana/geyser-postgres.json
   i zrestartuj:
     sudo systemctl daemon-reload
     sudo systemctl restart agave-validator

Verify:
  sudo journalctl -u agave-validator -n 200 --no-pager | rg -i 'geyser|plugin|postgres' || true
  sudo -u postgres psql -d geyser -c '\\dt' | head
