archy/scripts/fleet-fips-unpair.sh

#!/bin/bash
# Strip the LAN fast-path peers from all 4 fleet nodes' fips.yaml,
# leaving only the public anchor (fips.v0l.io). Restart fips.service
# on each node.
#
# Purpose: verify that the general-case deployment (nodes anywhere in
# the world, no LAN between them) actually works — i.e. that two
# paired archipelago peers can reach each other purely through the
# FIPS DHT bootstrapped from the anchor.
#
# After running this, test with:
#   scripts/fleet-fips-pair.sh --verify        (peer state per node)
#   for ip in 116 198 228 253; do
#     ssh archipelago@192.168.1.$ip "dig @127.0.0.1 -p 5354 +short \
#       <other-node-npub>.fips AAAA"
#   done
#
# To restore the LAN fast-path: re-run scripts/fleet-fips-pair.sh.
#
# Usage: scripts/fleet-fips-unpair.sh

set -eo pipefail

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
. "$SCRIPT_DIR/lib/common.sh"

# Roster — only need NIC names to preserve them in the yaml.
NODES=(
  "116 enp0s25"
  "198 enp2s0"
  "228 enp2s0"
  "253 enx9cbf0d0129f9"
)

TMP_ROOT=$(mktemp -d)
trap 'rm -rf "$TMP_ROOT"' EXIT

for row in "${NODES[@]}"; do
    read -r node nic <<< "$row"
    out="$TMP_ROOT/fips.yaml.$node"
    cat > "$out" <<YAML
# FIPS Node Configuration — anchor-only (managed by fleet-fips-unpair.sh)
# This is the shape a general archipelago install ships with: fleet
# nodes are NOT pre-paired; discovery happens via the anchor DHT.

node:
  identity:
    persistent: true

tun:
  enabled: true
  name: fips0
  mtu: 1280

dns:
  enabled: true
  bind_addr: "127.0.0.1"
  port: 5354

transports:
  udp:
    bind_addr: "0.0.0.0:2121"
  tcp:
    bind_addr: "0.0.0.0:8443"

ethernet:
  interface: "$nic"
  discovery: true
  announce: true
  auto_connect: true
  accept_connections: true

peers:
  - npub: "npub1zv58cn7v83mxvttl70w5fwjwuclfmntv9cnmv5wmz2nzz88u5urqvdx96n"
    alias: "fips.v0l.io"
    addresses:
      - transport: tcp
        addr: "fips.v0l.io:8443"
      - transport: udp
        addr: "fips.v0l.io:2121"
    connect_policy: auto_connect
YAML

    ip="192.168.1.$node"
    log_info "[.${node}] uploading anchor-only fips.yaml"
    scp_cmd "$out" "archipelago@${ip}:/tmp/fips.yaml.new"
    log_info "[.${node}] installing + restarting fips.service"
    ssh_cmd "$ip" '
        set -e
        sudo install -o root -g root -m 0600 /tmp/fips.yaml.new /etc/fips/fips.yaml
        rm -f /tmp/fips.yaml.new
        sudo systemctl restart fips.service
        for i in $(seq 1 10); do
            if sudo systemctl is-active fips.service >/dev/null 2>&1; then break; fi
            sleep 0.5
        done
        sudo systemctl is-active fips.service
    '
done

echo
log_info "Waiting 20s for anchor handshake + DHT propagation…"
sleep 20

echo
log_info "Post-unpair state (should show only fips.v0l.io as an authenticated peer):"
for row in "${NODES[@]}"; do
    read -r node _nic <<< "$row"
    ip="192.168.1.$node"
    count=$(ssh_cmd "$ip" "sudo fipsctl show peers 2>/dev/null | grep -c '\"npub\"' || echo 0")
    log_info "  .$node: $count authenticated peers"
done

echo
log_info "DHT resolution test — each node resolves the other 3 by npub:"
declare -A NPUBS=(
  [116]="npub1mxavs6scfgl056k6lm4mk73ddnrhjewg78zlyzfn2lmr0rfyrs5qhcr03g"
  [198]="npub13cy4lml94cj4rdu8runrr945z2muszuvr5tql8mr9m063d7xzpqqu3k8se"
  [228]="npub1a0xxcqce2tsv8ulwastep23jtf3h4wvvry8r8nklnl36jtrdnefqh5qn6h"
  [253]="npub1dl0m0yfzfw6467c3z6q63s7ggzd77yg97j90ptfrheprxeypt3msj0mq4g"
)
for row in "${NODES[@]}"; do
    read -r self_node _ <<< "$row"
    ip="192.168.1.$self_node"
    echo ".${self_node}:"
    for other in 116 198 228 253; do
        [ "$other" = "$self_node" ] && continue
        r=$(ssh_cmd "$ip" "dig @127.0.0.1 -p 5354 +short +time=3 +tries=1 ${NPUBS[$other]}.fips AAAA" 2>&1)
        if [ -z "$r" ]; then
            echo "  .${other} → unresolved (DHT route not found)"
        else
            echo "  .${other} → $r"
        fi
    done
done