From 287188b1c5c4611b3e421e943e3ee82d3d77376c Mon Sep 17 00:00:00 2001
From: u1 <u1@rv32i.pl>
Date: Fri, 6 Feb 2026 23:44:10 +0100
Subject: [PATCH] feat(ansible): install agave and provision identity for
 solana-rpc

---
 ansible/group_vars/sol_rpc.yml               |  6 ++-
 ansible/playbooks/doc-rpc-sol-min.yml        | 42 ++++++++++++++++++++
 doc/etap-006-agave-install-identity-start.md | 26 ++++++++++++
 3 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 doc/etap-006-agave-install-identity-start.md

diff --git a/ansible/group_vars/sol_rpc.yml b/ansible/group_vars/sol_rpc.yml
index f590c15..efd1772 100644
--- a/ansible/group_vars/sol_rpc.yml
+++ b/ansible/group_vars/sol_rpc.yml
@@ -2,7 +2,11 @@ solana_user: solana
 solana_group: solana
 solana_home: /var/lib/solana
 
+solana_install_script_url: https://release.anza.xyz/stable/install
+solana_active_release_bin_dir: "{{ solana_home }}/.local/share/solana/install/active_release/bin"
 solana_validator_bin: /opt/solana/bin/agave-validator
+solana_keygen_primary_bin: /opt/solana/bin/agave-keygen
+solana_keygen_fallback_bin: /opt/solana/bin/solana-keygen
 solana_rpc_service_name: solana-rpc
 
 solana_identity_path: /var/lib/solana/identity.json
@@ -10,7 +14,7 @@ solana_ledger_dir: /var/lib/solana/ledger
 solana_accounts_dir: /var/lib/solana/accounts
 solana_log_dir: /var/log/solana
 
-solana_rpc_bind_address: 10.10.0.2
+solana_rpc_bind_address: 127.0.0.1
 solana_rpc_port: 8899
 solana_rpc_pubsub_port: 8900
 solana_dynamic_port_range: "8000-8020"
diff --git a/ansible/playbooks/doc-rpc-sol-min.yml b/ansible/playbooks/doc-rpc-sol-min.yml
index f2e34ad..0323b80 100644
--- a/ansible/playbooks/doc-rpc-sol-min.yml
+++ b/ansible/playbooks/doc-rpc-sol-min.yml
@@ -70,6 +70,7 @@
         - { path: "{{ solana_ledger_dir }}", owner: "{{ solana_user }}", group: "{{ solana_group }}", mode: "0750" }
         - { path: "{{ solana_accounts_dir }}", owner: "{{ solana_user }}", group: "{{ solana_group }}", mode: "0750" }
         - { path: "{{ solana_log_dir }}", owner: "{{ solana_user }}", group: "{{ solana_group }}", mode: "0750" }
+        - { path: "/opt/solana/bin", owner: "root", group: "root", mode: "0755" }
 
     - name: Deploy tmux config (Ctrl+a prefix)
       ansible.builtin.copy:
@@ -125,6 +126,47 @@
         path: "{{ solana_validator_bin }}"
       register: solana_validator_bin_stat
 
+    - name: Install Agave toolchain for solana user when validator missing
+      ansible.builtin.shell: |
+        set -euo pipefail
+        sh -c "$(curl -sSfL {{ solana_install_script_url }})"
+      become_user: "{{ solana_user }}"
+      environment:
+        HOME: "{{ solana_home }}"
+      when: not solana_validator_bin_stat.stat.exists
+
+    - name: Link Agave binaries into /opt/solana/bin
+      ansible.builtin.shell: |
+        set -euo pipefail
+        if [ ! -d "{{ solana_active_release_bin_dir }}" ]; then
+          echo "Active release bin dir missing: {{ solana_active_release_bin_dir }}" >&2
+          exit 1
+        fi
+        for bin in "{{ solana_active_release_bin_dir }}"/*; do
+          name="$(basename "$bin")"
+          ln -sfn "$bin" "/opt/solana/bin/$name"
+        done
+      when: not solana_validator_bin_stat.stat.exists
+
+    - name: Re-check validator binary after install
+      ansible.builtin.stat:
+        path: "{{ solana_validator_bin }}"
+      register: solana_validator_bin_stat
+
+    - name: Ensure identity key exists
+      ansible.builtin.shell: |
+        set -euo pipefail
+        KEYGEN="{{ solana_keygen_primary_bin }}"
+        if [ ! -x "$KEYGEN" ]; then
+          KEYGEN="{{ solana_keygen_fallback_bin }}"
+        fi
+        "$KEYGEN" new --no-passphrase -o "{{ solana_identity_path }}"
+      become_user: "{{ solana_user }}"
+      environment:
+        HOME: "{{ solana_home }}"
+      args:
+        creates: "{{ solana_identity_path }}"
+
     - name: Check identity key exists
       ansible.builtin.stat:
         path: "{{ solana_identity_path }}"
diff --git a/doc/etap-006-agave-install-identity-start.md b/doc/etap-006-agave-install-identity-start.md
new file mode 100644
index 0000000..d1b71ac
--- /dev/null
+++ b/doc/etap-006-agave-install-identity-start.md
@@ -0,0 +1,26 @@
+# Etap 006: Instalacja Agave + identity + start `solana-rpc`
+
+Cel etapu: domknąć bootstrap uruchomienia `solana-rpc` jako `solana` przez:
+
+1. instalację binarki `agave-validator`,
+2. wygenerowanie `identity.json` (jeśli brak),
+3. start usługi `solana-rpc` i test endpointu RPC.
+
+## Zakres
+
+- Rozszerzyć playbook o zadania instalacyjne Agave (idempotentnie).
+- Dodać provisioning `identity` jako użytkownik `solana`.
+- Utrzymać bezpieczny start: usługa uruchamiana tylko przy komplecie prereq.
+- Wykonać testy powdrożeniowe (`systemd`, port, JSON-RPC).
+
+## Założenia
+
+- Bootstrap używa domyślnego bind `127.0.0.1` (bez publicznej ekspozycji RPC).
+- Produkcyjny bind na WG IP i hardening sieciowy będzie osobnym etapem.
+
+## Kryteria akceptacji
+
+- `agave-validator` istnieje pod `/opt/solana/bin/agave-validator`.
+- `identity` istnieje pod `/var/lib/solana/identity.json` (owner `solana`).
+- `systemctl is-active solana-rpc` zwraca `active`.
+- Endpoint `http://127.0.0.1:8899` odpowiada na JSON-RPC.