Automated CipherNode deployment

.github/workflows/ecs-deployment.yml

@@ -0,0 +1,60 @@
+name: Build and Deploy Ciphernode to ECS
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'packages/ciphernode/**'
+      - 'packages/evm/contracts/**'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'packages/ciphernode/**'
+      - 'packages/evm/contracts/**'
+
+env:
+  ECR_REPOSITORY: ${{ vars.ECR_REPOSITORY }}
+  DOCKERFILE_PATH: packages/ciphernode/Dockerfile
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  deploy:
+    name: Deploy
+    runs-on: ubuntu-latest
+    environment: production
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Mask Infomation
+      run: |
+        echo "::add-mask::${{ secrets.AWS_ACCOUNT_ID }}"
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+        aws-region: ${{ vars.AWS_REGION }}
+
+    - name: Login to Amazon ECR
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v2
+
+    - name: Build, tag, and push image to Amazon ECR
+      id: build-image
+      env:
+        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+        IMAGE_TAG: ${{ github.sha }}
+      run: |
+        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -f $DOCKERFILE_PATH .
+        docker tag $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:latest
+        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+        docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
+        echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
+        echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:latest" >> $GITHUB_OUTPUT

docker-compose.dev.yml

@@ -0,0 +1,3 @@
+services:
+  ciphernode:
+    network_mode: "host"

docker-compose.yml

@@ -0,0 +1,17 @@
+services:
+  ciphernode:
+    build:
+      context: .
+      dockerfile: ./packages/ciphernode/Dockerfile
+    image: ciphernode:latest
+    volumes:
+      - ${CONFIG_FILE}:/home/ciphernode/.config/enclave/config.yaml:ro  # Read-only config directory
+      - ${SECRETS_FILE}:/home/ciphernode/secrets/secrets.json:ro  # Read-only secrets directory
+      - ciphernode-data:/home/ciphernode/.local/share/enclave  # Persistent data
+    environment:
+      RUST_LOG: "info"
+      AGGREGATOR: "false"
+    restart: unless-stopped
+
+volumes:
+  ciphernode-data:

packages/ciphernode/Dockerfile

@@ -0,0 +1,49 @@
+FROM node:20 AS evm-builder
+
+WORKDIR /build/packages/evm
+COPY ./packages/evm ./
+RUN yarn install && yarn compile
+
+# Build stage
+FROM rust:1.81 AS ciphernode-builder
+
+# Create build directory
+WORKDIR /build/packages/ciphernode
+COPY ./packages/ciphernode ./
+COPY --from=evm-builder /build/packages/evm/artifacts ../evm/artifacts
+RUN cargo build --release
+
+# Runtime stage
+FROM debian:bookworm-slim
+
+# Install runtime dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends iptables ca-certificates jq && \
+    apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Create non-root user
+RUN useradd -m -u 1000 -s /bin/bash ciphernode
+
+# Create necessary directories with proper permissions
+RUN mkdir -p /home/ciphernode/.config/enclave \
+    /home/ciphernode/.local/share/enclave \
+    /home/ciphernode/secrets && \
+    chown -R ciphernode:ciphernode /home/ciphernode && \
+    chmod 700 /home/ciphernode/secrets
+
+# Switch to non-root user
+USER ciphernode
+WORKDIR /home/ciphernode
+
+# Copy binary from builder
+COPY --from=ciphernode-builder --chown=ciphernode:ciphernode /build/packages/ciphernode/target/release/enclave /usr/local/bin/
+
+# Environment variables for configuration
+ENV CONFIG_DIR=/home/ciphernode/.config/enclave
+ENV SECRETS_DIR=/home/ciphernode/secrets
+ENV DATA_DIR=/home/ciphernode/.local/share/enclave
+ENV RUST_LOG=info
+
+# Add entrypoint script
+COPY --from=ciphernode-builder --chmod=755 --chown=ciphernode:ciphernode /build/packages/ciphernode/ciphernode-entrypoint.sh /usr/local/bin/
+
+ENTRYPOINT ["ciphernode-entrypoint.sh"]

packages/ciphernode/ciphernode-entrypoint.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+set -e
+
+# Paths to config and secrets
+CONFIG_FILE="$CONFIG_DIR/config.yaml"
+SECRETS_FILE="$SECRETS_DIR/secrets.json"
+KEYFILE="$CONFIG_DIR/key"
+AGGREGATOR="$AGGREGATOR"
+
+# Ensure required files exist
+if [ ! -f "$CONFIG_FILE" ]; then
+    echo "Error: Config file $CONFIG_FILE not found!"
+    exit 1
+fi
+
+if [ ! -f "$SECRETS_FILE" ]; then
+    echo "Error: Secrets file $SECRETS_FILE not found!"
+    exit 1
+fi
+
+# Read secrets from the JSON file
+PRIVATE_KEY=$(jq -r '.private_key' "$SECRETS_FILE")
+PASSWORD=$(jq -r '.password' "$SECRETS_FILE")
+
+if [ -z "$PRIVATE_KEY" ] || [ -z "$PASSWORD" ]; then
+    echo "Error: Missing 'private_key' or 'password' in secrets file!"
+    exit 1
+fi
+
+# Set password and private key
+echo "Setting password"
+enclave password create --config "$CONFIG_FILE" --password "$PASSWORD"
+if [ "$AGGREGATOR" = "true" ]; then
+    if [ -f "$KEYFILE" ]; then
+        echo "Setting private key"
+        enclave wallet set --config "$CONFIG_FILE" --private-key "$PRIVATE_KEY"
+    fi
+    echo "Starting aggregator"
+    # Start the aggregator
+    exec enclave aggregator start --config "$CONFIG_FILE"
+else
+    echo "Starting Ciphernode"
+    exec enclave start --config "$CONFIG_FILE"
+fi
+
+