Merge pull request #145 from ava-labs/move-keys-dir

add staking key/cert generation
2020-05-12 00:57:35 -04:00 · 2020-05-12 00:57:35 -04:00 · a77e20a9d8
parent ac9eeef3da b96ff7099e
commit a77e20a9d8
20 changed files with 161 additions and 149 deletions
--- a/keys/genCA.sh
+++ b/keys/genCA.sh
@ -1,5 +0,0 @@
-#!/bin/sh
-set -ex
-
-openssl genrsa -out `dirname "$0"`/rootCA.key 4096
-openssl req -x509 -new -nodes -key `dirname "$0"`/rootCA.key -sha256 -days 365250 -out `dirname "$0"`/rootCA.crt
--- a/keys/genStaker.sh
+++ b/keys/genStaker.sh
@ -1,13 +0,0 @@
-#!/bin/sh
-set -ex
-
-keypath=$GOPATH/src/github.com/ava-labs/gecko/keys
-
-if test -f "$keypath/staker.key" || test -f "$keypath/staker.crt"; then
-    echo "staker.key or staker.crt already exists. Not generating new key/certificiate."
-    exit 1
-fi
-
-openssl genrsa -out `dirname "$0"`/staker.key 4096
-openssl req -new -sha256 -key `dirname "$0"`/staker.key -subj "/C=US/ST=NY/O=Avalabs/CN=ava" -out `dirname "$0"`/staker.csr
-openssl x509 -req -in `dirname "$0"`/staker.csr -CA `dirname "$0"`/rootCA.crt -CAkey `dirname "$0"`/rootCA.key -CAcreateserial -out `dirname "$0"`/staker.crt -days 365250 -sha256
--- a/keys/rootCA.crt
+++ b/keys/rootCA.crt
@ -1,34 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIF1jCCA76gAwIBAgIJALI1DF9cpwfEMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV
-BAYTAlVTMQswCQYDVQQIDAJOWTEPMA0GA1UEBwwGSXRoYWNhMRAwDgYDVQQKDAdB
-dmFsYWJzMQ4wDAYDVQQLDAVHZWNrbzEMMAoGA1UEAwwDYXZhMSIwIAYJKoZIhvcN
-AQkBFhNzdGVwaGVuQGF2YWxhYnMub3JnMCAXDTE5MDIyODIwNTkyNFoYDzMwMTkw
-MzA4MjA1OTI0WjB/MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxDzANBgNVBAcM
-Bkl0aGFjYTEQMA4GA1UECgwHQXZhbGFiczEOMAwGA1UECwwFR2Vja28xDDAKBgNV
-BAMMA2F2YTEiMCAGCSqGSIb3DQEJARYTc3RlcGhlbkBhdmFsYWJzLm9yZzCCAiIw
-DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ45ScWV8tsCNO+NTIBuUYsPkhcg
-jrp0HEyCHY3XEkxsLuDqtesNyv39YA0xQ3M3FP1e29tjFeHWJzyzV8O1H+6yco93
-QAtzh9xELYD301Yq+x55yZrSjZxNIC5Tmz1ewTfD315lNR04M6JmqjrStIuLsWFU
-m6P4OgXs4daqnyq9au4PYSrejcbexW59rKxLryK6Acv+E9Ax04oS33g9KqPmlRx0
-lfu3x4nkIKIl+VaK1wC5CwJDYZ91KpEbC8Z2YvTeVDH+/hz/MvKl1CEaqK/4G5FB
-KGEyd/bGRxMVQF41G7liJLaXzPLyZnKO2n21ZuJhkA9MZelt1U0LuQU505qU7IzW
-cmKFEIb1MOrclaF19Is7HQlJWKyDo2/hfjSCZO8zH7eR9EGzKyQwZhwkYCycJD44
-RKEHq6s/Z2dHUlpLIgRJ7k171TNkL9+xLntu8v1lzTkhemSNeO9asqJ7VcvpnMHH
-bQXpDxJpi8jTnV8In8EolSqaKeN6/nzwbbSJ7gHehgpDhC1DlXPRzTt/ktQKlNGW
-T5bdNdvYFyYTd9fu78aJZSbJo8jS2fykWuBgOgnlV8VmwpDa7iHM3EECByhf5GKB
-J1jBlXO1ZyfJ7sNTbuVM7Uc2JkB4ASKdm3GZ3sFv95HjSTJAUORjE4pQ1es4kfDU
-KqzDHH+bEHaGIGJTAgMBAAGjUzBRMB0GA1UdDgQWBBQr2T0duSMkvGXe3bSdWcei
-73QtwzAfBgNVHSMEGDAWgBQr2T0duSMkvGXe3bSdWcei73QtwzAPBgNVHRMBAf8E
-BTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBpP18zCdzvnSdPigg9wx+a8Znr4aJj
-FxZYwBY6/BmKb56ke9g+zKKCw2dYYkRYDcTOEfuBgBvNeCSJv4R5rmkukkL8RCIG
-XV/WfSn2d3Mnz5KTgGQS6Q9s5qx+8ydkiGZthi+8a8ltXczyYrvWgd47U0NWTcOY
-omjgF6XF+hVLWLgiwmA468pd7wyCsuJJkyxxeyDPXQ422I1AJW/7c5JQQa+lDNsv
-Vna6420mZ/DiQd3stFkdjhRjmBZvGQ09g6l3zo6TgI1TWr5TMYPrempBVCWPNilC
-XaMysU77+tPutI+7kMBuGvLuZtPrH/2uTYdXWPodyORm5i2ABF6In3VISPD9YNc0
-gWx3PYGi2BfdnZepCojsffUMlhT3SsiAKMYv5FhW8LQBNMRR4721U1Vf5f8fzNQn
-3E55TthV5HXZQ6HcLhkmOvH8CMqtWGETTbBtYSA2AVMjoqs7QDGkfsCH9UuwGd1N
-W12JOf53XyOQT2XwWerSQC2kv7elsTh6Bk7PhvrCi0OwCVSGny5IQY/aXM1n6Z6s
-scJlZmq6P3AJZ3tRtBt9yDK7iIW7mzNLTb/kAjsNQh06oETJIJ0CIgL0Bn6CANYU
-kNqB4oTxmAhdOPKNgqaIwdZAL1VDIVaQEcvGeZRduo7yZvA/MhuQD8IIKSeOBFaD
-DB8IRfWqBx2nWw==
-----END CERTIFICATE-----
--- a/keys/rootCA.key
+++ b/keys/rootCA.key
@ -1,51 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIJJwIBAAKCAgEAnjlJxZXy2wI0741MgG5Riw+SFyCOunQcTIIdjdcSTGwu4Oq1
-6w3K/f1gDTFDczcU/V7b22MV4dYnPLNXw7Uf7rJyj3dAC3OH3EQtgPfTVir7HnnJ
-mtKNnE0gLlObPV7BN8PfXmU1HTgzomaqOtK0i4uxYVSbo/g6Bezh1qqfKr1q7g9h
-Kt6Nxt7Fbn2srEuvIroBy/4T0DHTihLfeD0qo+aVHHSV+7fHieQgoiX5VorXALkL
-AkNhn3UqkRsLxnZi9N5UMf7+HP8y8qXUIRqor/gbkUEoYTJ39sZHExVAXjUbuWIk
-tpfM8vJmco7afbVm4mGQD0xl6W3VTQu5BTnTmpTsjNZyYoUQhvUw6tyVoXX0izsd
-CUlYrIOjb+F+NIJk7zMft5H0QbMrJDBmHCRgLJwkPjhEoQerqz9nZ0dSWksiBEnu
-TXvVM2Qv37Eue27y/WXNOSF6ZI1471qyontVy+mcwcdtBekPEmmLyNOdXwifwSiV
-Kpop43r+fPBttInuAd6GCkOELUOVc9HNO3+S1AqU0ZZPlt0129gXJhN31+7vxoll
-JsmjyNLZ/KRa4GA6CeVXxWbCkNruIczcQQIHKF/kYoEnWMGVc7VnJ8nuw1Nu5Uzt
-RzYmQHgBIp2bcZnewW/3keNJMkBQ5GMTilDV6ziR8NQqrMMcf5sQdoYgYlMCAwEA
-AQKCAgAhNota05AoEv2Dr5h4eS/azgjvm+D6GLd8A/AqPxRTQH5SrlJDpiCPUmmg
-O1AaVlyslwX1toX4YxjXcBojNdkfJQxRO0oRXU4Oma0nnl4Zf2o5Sn1cZ4hcYAA6
-WUiECGjsyMwRp5MPsCV+mKhxMpu9kzRH5xfIwqmDZuc9RZGlyh8xG79c3VzLeyXc
-fLsLa9O2qW8JICuOj3cFS9LnDYfu4c85Kuv06+4R7vY+s1P0q65YM3+xGO3cKB8o
-WJIPNfityCHKYOl8ssFCGDdAP7VbQuyegBv20z5FafevdM2POPy53HUycwkNkn6Y
-243Xx4VyTeKMo4/dATY+NxC+nRXiz4jLna5a7IIIzjAHl2kF6iJVasd3+X/xWHsM
-Lx9iDRjERf+J+y58GaDxetXL1C0xm7Rv28yMYVPAzpucvS4i72Xj7X8JkO3az3Qv
-/wqBnxj8ouh+5jvT0nqCJsFZwK0F7Dr3na2lSf34XBCTnd9//FfSIY7mDIddxuVF
-2rKKOl2KkvbDUuSKVZwdJeAp1CccN6SfLnxKy+436Z5hYzBIeGyejpCMWivDJ2I3
-wjs4w4IPobT5dqaSdPYFTKJnoDv62vYbIN3o8pQ3QUXwmRPyKoPuxe7OZZyec43R
-WUtajiW6AXjxUoEtPPPHAT/3pGKG2a0VGtDfjLjpp5OtQmteiQKCAQEAz62n9Lh1
-POdC4088GEqrGPhq5MUz2j2pOCjEZ7utmD+Lo8x95McCU+jf4UJ+rbaf96dvjPRC
-T0Sc6X6IvvQycJubzQe6XX6eyZsr67qpuY2MGze+NvmO4LcCOfNHerRyLK2DoGLW
-jQVxJNsBIFo0T7iSuUICbfxKdKxfH+27rPANEvpqS5BJalAfeGPEL0GgUTKQmswc
-23Pnu5mkb7TWLKNVq7o/5PxvXyKmJQaFHCV98pqQr/HhXd79dMD12TPZRvsNgPGK
-XOsmPtC5RHhbs/Wmdk3X3ihoVezou2VPeWCIrCANCuU0zZBK1igVC3FGeUK8u1Dl
-jrTkRsNTLbBiPwKCAQEAwwngBBjbdRCVvUVWIBQBOk/t/6WyeAVH4O/fq32KklW+
-/SN5yeZhXjwMrFhSOqFUDipg/C4Imf5S3V+MlXO4lQsZzZa0d0euBIBt0SEcGE8P
-rAkGcvwPfISBfYCnPem1ax01ixNJBxWDrgkfHZchywNPFgopiqpYR7X5ttACctCl
-KLaDOXn667QmG1icsVgZV3L8gBxEdyjhmUGWFH/auS28oxqhUgiXrUQXbJKCesGD
-E39r/SyOAGP5ZtTkWmNDp2+va8lSJwL1Ix+6qvexi/hIIGoFlSh5w+BwnBlxBL4C
-cUanaXRtIqQ9rcO/xhZ7izmQzruNARLDPGIJ59MS7QKCAQBGR3wJAssZ2yD1j4DE
-r7AK+TYjSODtP+SeDp24hPiQByEYQ0FvRDFzd+Ebd8cqvhyQUGcdiiNOc+et1JYu
-GLFhDifBUJYuwYS2sP5B/Z8mHdKF+20xaW6CeSwVtFBCJAJnQCjFA+2bN3Y8hKhy
-7FO7jriIXOA5nCEOLq7aPTc/pNSn0XpbK+7MPWUI9qoTW+AG2le5Ks2xLh4DjFDr
-RIUeAgAh5xtsQEjoJu+WpAgzqDRg/xFrmS0s+SNIeWw5HqSuspK1SggKvcDpjPTF
-SP2vfrfgXSNqGL6GJW/0yqoEZziZFxeS0lH2JphMtK+6eZDhxEXeFdg5XNnLYJor
-Yf89AoIBAHbRLESys/c0HFTKybYPGdRhXzcvxXKynOBeoZ9Cgsm1LP3fv9EM5WJY
-KMxRnf6Ty7Y5gQ4AKUNPGUI9dFKTxe4ebiC938EOzOd3Ke+OQSRZ/c0rTl98SR7t
-Rkmjt77TAq93gufv3rxPEgJTEj6flHmt0V8236nXLqK5LKB/Rg6WJxePYJACTKeM
-/u4H5KVxazbIGSUek2MYZ59KwlhIr4HCaDng/kgQbf6jDbYZ5x1LiEO3i50XqIZ6
-YTSRG3ApKsz1ECQU6FRVy+sS6FBBR0ti/OWqUS5WEyAOOewO37go3SoPBewLfnTt
-I5oZN1pA1hCyCBK5VSRDPucpPqmY/90CggEAbFRUDyEkq9p7/Va/PYJLMe+1zGoy
-+jCC1nm5LioxrUdpE+CV1t1cVutnlI3sRD+79oX/zwlwQ+pCx1XOMCmGs4uZUx5f
-UtpGnsPamlyQKyQfPam3N4+4gaY9LLPiYCrI/XQh+vZQNlQTStuKLtb0R8+4wEER
-KDTtC2cNN5fSnexEifpvq5yK3x6bH66pPyuRE27vVQ7diPar9A+VwkLs+zGbfnWW
-MP/zYUbuiatC/LozcYLs/01m3Nu6oYi0OP/nFofepXNpQoZO8jKpnGRVVJ0EfgSe
-f3qb9nkygj+gqGWT+PY6H39xKFz0h7dmmcP3Z7CrYXFEFfTCsUgbOKulAA==
-----END RSA PRIVATE KEY-----
--- a/keys/rootCA.srl
+++ b/keys/rootCA.srl
@ -1 +0,0 @@
-BAF3B5C5C6D0D166
--- a/main/params.go
+++ b/main/params.go
@ -10,6 +10,7 @@ import (
 	"net"
 	"os"
 	"path"
+	"path/filepath"
 	"strings"

 	"github.com/ava-labs/gecko/database/leveldb"
@ -19,23 +20,29 @@ import (
 	"github.com/ava-labs/gecko/nat"
 	"github.com/ava-labs/gecko/node"
 	"github.com/ava-labs/gecko/snow/networking/router"
+	"github.com/ava-labs/gecko/staking"
 	"github.com/ava-labs/gecko/utils"
 	"github.com/ava-labs/gecko/utils/formatting"
 	"github.com/ava-labs/gecko/utils/hashing"
 	"github.com/ava-labs/gecko/utils/logging"
 	"github.com/ava-labs/gecko/utils/wrappers"
-	"github.com/mitchellh/go-homedir"
 )

 const (
-	dbVersion    = "v0.2.0"
-	defaultDbDir = "~/.gecko/db"
+	dbVersion = "v0.2.0"
 )

 // Results of parsing the CLI
 var (
-	Config = node.Config{}
-	Err    error
+	Config                 = node.Config{}
+	Err                    error
+	defaultDbDir           = os.ExpandEnv(filepath.Join("$HOME", ".gecko", "db"))
+	defaultStakingKeyPath  = os.ExpandEnv(filepath.Join("$HOME", ".gecko", "staking", "staker.key"))
+	defaultStakingCertPath = os.ExpandEnv(filepath.Join("$HOME", ".gecko", "staking", "staker.crt"))
+)
+
+var (
+	errBootstrapMismatch = errors.New("more bootstrap IDs provided than bootstrap IPs")
 )

 // GetIPs returns the default IPs for each network
@ -54,17 +61,15 @@ func GetIPs(networkID uint32) []string {
 	}
 }

-var (
-	errBootstrapMismatch = errors.New("more bootstrap IDs provided than bootstrap IPs")
-)
-
 // Parse the CLI arguments
 func init() {
 	errs := &wrappers.Errs{}
 	defer func() { Err = errs.Err }()

 	loggingConfig, err := logging.DefaultConfig()
-	errs.Add(err)
+	if errs.Add(err); errs.Errored() {
+		return
+	}

 	fs := flag.NewFlagSet("gecko", flag.ContinueOnError)

@ -100,8 +105,8 @@ func init() {
 	// Staking:
 	consensusPort := fs.Uint("staking-port", 9651, "Port of the consensus server")
 	fs.BoolVar(&Config.EnableStaking, "staking-tls-enabled", true, "Require TLS to authenticate staking connections")
-	fs.StringVar(&Config.StakingKeyFile, "staking-tls-key-file", "keys/staker.key", "TLS private key file for staking connections")
-	fs.StringVar(&Config.StakingCertFile, "staking-tls-cert-file", "keys/staker.crt", "TLS certificate file for staking connections")
+	fs.StringVar(&Config.StakingKeyFile, "staking-tls-key-file", defaultStakingKeyPath, "TLS private key for staking")
+	fs.StringVar(&Config.StakingCertFile, "staking-tls-cert-file", defaultStakingCertPath, "TLS certificate for staking")

 	// Plugins:
 	fs.StringVar(&Config.PluginDir, "plugin-dir", "./build/plugins", "Plugin directory for Ava VMs")
@ -142,22 +147,22 @@ func init() {
 	}

 	networkID, err := genesis.NetworkID(*networkName)
-	errs.Add(err)
+	if errs.Add(err); err != nil {
+		return
+	}

 	Config.NetworkID = networkID

 	// DB:
-	if *db && err == nil {
-		// TODO: Add better params here
-		if *dbDir == defaultDbDir {
-			if *dbDir, err = homedir.Expand(defaultDbDir); err != nil {
-				errs.Add(fmt.Errorf("couldn't resolve default db path: %v", err))
-			}
-		}
+	if *db {
+		*dbDir = os.ExpandEnv(*dbDir) // parse any env variables
 		dbPath := path.Join(*dbDir, genesis.NetworkName(Config.NetworkID), dbVersion)
 		db, err := leveldb.New(dbPath, 0, 0, 0)
+		if err != nil {
+			errs.Add(fmt.Errorf("couldn't create db at %s: %w", dbPath, err))
+			return
+		}
 		Config.DB = db
-		errs.Add(err)
 	} else {
 		Config.DB = memdb.New()
 	}
@ -169,7 +174,7 @@ func init() {
 	if *consensusIP == "" {
 		ip, err = Config.Nat.IP()
 		if err != nil {
-			ip = net.IPv4zero
+			ip = net.IPv4zero // Couldn't get my IP...set to 0.0.0.0
 		}
 	} else {
 		ip = net.ParseIP(*consensusIP)
@ -177,7 +182,9 @@ func init() {

 	if ip == nil {
 		errs.Add(fmt.Errorf("Invalid IP Address %s", *consensusIP))
+		return
 	}
+
 	Config.StakingIP = utils.IPDesc{
 		IP:   ip,
 		Port: uint16(*consensusPort),
@ -190,7 +197,10 @@ func init() {
 	for _, ip := range strings.Split(*bootstrapIPs, ",") {
 		if ip != "" {
 			addr, err := utils.ToIPDesc(ip)
-			errs.Add(err)
+			if err != nil {
+				errs.Add(fmt.Errorf("couldn't parse ip: %w", err))
+				return
+			}
 			Config.BootstrapPeers = append(Config.BootstrapPeers, &node.Peer{
 				IP: addr,
 			})
@ -209,20 +219,27 @@ func init() {
 		cb58 := formatting.CB58{}
 		for _, id := range strings.Split(*bootstrapIDs, ",") {
 			if id != "" {
-				errs.Add(cb58.FromString(id))
-				cert, err := ids.ToShortID(cb58.Bytes)
-				errs.Add(err)
-
+				err = cb58.FromString(id)
+				if err != nil {
+					errs.Add(fmt.Errorf("couldn't parse bootstrap peer id to bytes: %w", err))
+					return
+				}
+				peerID, err := ids.ToShortID(cb58.Bytes)
+				if err != nil {
+					errs.Add(fmt.Errorf("couldn't parse bootstrap peer id: %w", err))
+					return
+				}
 				if len(Config.BootstrapPeers) <= i {
 					errs.Add(errBootstrapMismatch)
-					continue
+					return
 				}
-				Config.BootstrapPeers[i].ID = cert
+				Config.BootstrapPeers[i].ID = peerID
 				i++
 			}
 		}
 		if len(Config.BootstrapPeers) != i {
 			errs.Add(fmt.Errorf("More bootstrap IPs, %d, provided than bootstrap IDs, %d", len(Config.BootstrapPeers), i))
+			return
 		}
 	} else {
 		for _, peer := range Config.BootstrapPeers {
@ -230,6 +247,27 @@ func init() {
 		}
 	}

+	// Staking
+	Config.StakingCertFile = os.ExpandEnv(Config.StakingCertFile) // parse any env variable
+	Config.StakingKeyFile = os.ExpandEnv(Config.StakingKeyFile)
+	switch {
+	// If staking key/cert locations are specified but not found, error
+	case Config.StakingKeyFile != defaultStakingKeyPath || Config.StakingCertFile != defaultStakingCertPath:
+		if _, err := os.Stat(Config.StakingKeyFile); os.IsNotExist(err) {
+			errs.Add(fmt.Errorf("couldn't find staking key at %s", Config.StakingKeyFile))
+			return
+		} else if _, err := os.Stat(Config.StakingCertFile); os.IsNotExist(err) {
+			errs.Add(fmt.Errorf("couldn't find staking certificate at %s", Config.StakingCertFile))
+			return
+		}
+	default:
+		// Only creates staking key/cert if [stakingKeyPath] doesn't exist
+		if err := staking.GenerateStakingKeyCert(Config.StakingKeyFile, Config.StakingCertFile); err != nil {
+			errs.Add(fmt.Errorf("couldn't generate staking key/cert: %w", err))
+			return
+		}
+	}
+
 	// HTTP:
 	Config.HTTPPort = uint16(*httpPort)

@ -238,14 +276,18 @@ func init() {
 		loggingConfig.Directory = *logsDir
 	}
 	logFileLevel, err := logging.ToLevel(*logLevel)
-	errs.Add(err)
+	if errs.Add(err); err != nil {
+		return
+	}
 	loggingConfig.LogLevel = logFileLevel

 	if *logDisplayLevel == "" {
 		*logDisplayLevel = *logLevel
 	}
 	displayLevel, err := logging.ToLevel(*logDisplayLevel)
-	errs.Add(err)
+	if errs.Add(err); err != nil {
+		return
+	}
 	loggingConfig.DisplayLevel = displayLevel

 	Config.LoggingConfig = loggingConfig
--- a/scripts/ansible/restart_playbook.yml
+++ b/scripts/ansible/restart_playbook.yml
@ -7,8 +7,8 @@
  vars:
    ava_binary: ~/go/src/github.com/ava-labs/gecko/build/ava
    repo_folder: ~/go/src/github.com/ava-labs/gecko
-    repo_name: ava-labs/gecko-internal
-    repo_branch: platformvm-proposal-accept
+    repo_name: ava-labs/gecko
+    repo_branch: master
  roles:
    - name: ava-stop
    - name: ava-build
--- a/scripts/ansible/test-inventory.yml
+++ b/scripts/ansible/test-inventory.yml
@ -2,8 +2,8 @@ borealis_bootstrap:
  hosts:
      bootstrap1:
        ansible_host: 3.84.129.247
-        staking_tls_key_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/keys/local/staker1.key"
-        staking_tls_cert_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/keys/local/staker1.crt"
+        staking_tls_key_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/staking/local/staker1.key"
+        staking_tls_cert_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/staking/local/staker1.crt"
  vars:
    ansible_connection: ssh
    ansible_user: ubuntu
@ -44,20 +44,20 @@ borealis_node:
  hosts:
      node1:
        ansible_host: 35.153.99.244
-        staking_tls_key_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/keys/local/staker2.key"
-        staking_tls_cert_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/keys/local/staker2.crt"
+        staking_tls_key_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/staking/local/staker2.key"
+        staking_tls_cert_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/staking/local/staker2.crt"
      node2:
        ansible_host: 34.201.137.119
-        staking_tls_key_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/keys/local/staker3.key"
-        staking_tls_cert_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/keys/local/staker3.crt"
+        staking_tls_key_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/staking/local/staker3.key"
+        staking_tls_cert_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/staking/local/staker3.crt"
      node3:
        ansible_host: 54.146.1.110
-        staking_tls_key_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/keys/local/staker4.key"
-        staking_tls_cert_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/keys/local/staker4.crt"
+        staking_tls_key_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/staking/local/staker4.key"
+        staking_tls_cert_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/staking/local/staker4.crt"
      node4:
        ansible_host: 54.91.255.231
-        staking_tls_key_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/keys/local/staker5.key"
-        staking_tls_cert_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/keys/local/staker5.crt"
+        staking_tls_key_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/staking/local/staker5.key"
+        staking_tls_cert_file: "/home/ubuntu/go/src/github.com/ava-labs/gecko/staking/local/staker5.crt"
  vars:
    ansible_connection: ssh
    ansible_user: ubuntu
--- a/scripts/ansible/update_playbook.yml
+++ b/scripts/ansible/update_playbook.yml
@ -7,8 +7,8 @@
  vars:
    ava_binary: ~/go/src/github.com/ava-labs/gecko/build/ava
    repo_folder: ~/go/src/github.com/ava-labs/gecko
-    repo_name: ava-labs/gecko-internal
-    repo_branch: platformvm-proposal-accept
+    repo_name: ava-labs/gecko
+    repo_branch: master
  roles:
    - name: ava-stop
    - name: ava-build
--- a/staking/gen_staker_key.go
+++ b/staking/gen_staker_key.go
@ -0,0 +1,74 @@
+package staking
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+// GenerateStakingKeyCert generates a self-signed TLS key/cert pair to use in staking
+// The key and files will be placed at [keyPath] and [certPath], respectively
+// If there is already a file at [keyPath], returns nil
+func GenerateStakingKeyCert(keyPath, certPath string) error {
+	// If there is already a file at [keyPath], do nothing
+	if _, err := os.Stat(keyPath); !os.IsNotExist(err) {
+		return nil
+	}
+
+	// Create key to sign cert with
+	key, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return fmt.Errorf("couldn't generate rsa key: %w", err)
+	}
+
+	// Create self-signed staking cert
+	certTemplate := &x509.Certificate{
+		SerialNumber:          big.NewInt(0),
+		NotBefore:             time.Date(2000, time.January, 0, 0, 0, 0, 0, time.UTC),
+		NotAfter:              time.Now().AddDate(100, 0, 0),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageDataEncipherment,
+		BasicConstraintsValid: true,
+	}
+	certBytes, err := x509.CreateCertificate(rand.Reader, certTemplate, certTemplate, &key.PublicKey, key)
+	if err != nil {
+		return fmt.Errorf("couldn't create certificate: %w", err)
+	}
+
+	// Write cert to disk
+	if err := os.MkdirAll(filepath.Dir(certPath), 0755); err != nil {
+		return fmt.Errorf("couldn't create path for key/cert: %w", err)
+	}
+	certOut, err := os.Create(certPath)
+	if err != nil {
+		return fmt.Errorf("couldn't create cert file: %w", err)
+	}
+	if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: certBytes}); err != nil {
+		return fmt.Errorf("couldn't write cert file: %w", err)
+	}
+	if err := certOut.Close(); err != nil {
+		return fmt.Errorf("couldn't close cert file: %w", err)
+	}
+
+	// Write key to disk
+	keyOut, err := os.Create(keyPath)
+	if err != nil {
+		return fmt.Errorf("couldn't create key file: %w", err)
+	}
+	privBytes, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		return fmt.Errorf("couldn't marshal private key: %w", err)
+	}
+	if err := pem.Encode(keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}); err != nil {
+		return fmt.Errorf("couldn't write private key: %w", err)
+	}
+	if err := keyOut.Close(); err != nil {
+		return fmt.Errorf("couldn't close key file: %w", err)
+	}
+	return nil
+}
--- a/staking/local/staker1.crt
+++ b/staking/local/staker1.crt
--- a/staking/local/staker1.key
+++ b/staking/local/staker1.key
--- a/staking/local/staker2.crt
+++ b/staking/local/staker2.crt
--- a/staking/local/staker2.key
+++ b/staking/local/staker2.key
--- a/staking/local/staker3.crt
+++ b/staking/local/staker3.crt
--- a/staking/local/staker3.key
+++ b/staking/local/staker3.key
--- a/staking/local/staker4.crt
+++ b/staking/local/staker4.crt
--- a/staking/local/staker4.key
+++ b/staking/local/staker4.key
--- a/staking/local/staker5.crt
+++ b/staking/local/staker5.crt
--- a/staking/local/staker5.key
+++ b/staking/local/staker5.key