-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathrigforge.sh
More file actions
executable file
·3115 lines (2890 loc) · 155 KB
/
Copy pathrigforge.sh
File metadata and controls
executable file
·3115 lines (2890 loc) · 155 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#!/usr/bin/env bash
#
# XMRig Worker Deployment Script
# Automates the provisioning of a high-performance Monero mining worker.
# Handles dependency installation, kernel tuning (HugePages/MSR), and service configuration.
#
# Sections, in order (search for "# --- "):
# Logging utilities · Global variables · Helpers (idempotent edits, build math, GRUB)
# Setup pipeline: prerequisites & config → workspace & deps → build → XMRig config → service/kernel
# Orchestration (main) · Lifecycle (upgrade / uninstall)
# Auto-tuning: memo & stats → power/thermal sensing → measurement → search → 'tune' command
# Backup / restore · Commands (service control, version, apply, bench) · Doctor · Usage & dispatch
#
set -Eeuo pipefail
# --- Logging Utilities ---
readonly C_RESET='\033[0m'
readonly C_GREEN='\033[1;32m'
readonly C_YELLOW='\033[1;33m'
readonly C_RED='\033[1;31m'
readonly C_BLUE='\033[1;34m'
log() { echo -e "${C_GREEN}[INFO]${C_RESET} $1"; }
warn() { echo -e "${C_YELLOW}[WARN]${C_RESET} $1"; }
error() {
echo -e "${C_RED}[ERROR]${C_RESET} $1"
exit 1
}
# Names the phase currently running so the ERR trap can report where an unexpected failure happened.
CURRENT_STEP="starting up"
on_err() {
local ec=$?
echo -e "${C_RED}[ERROR]${C_RESET} rigforge aborted while ${CURRENT_STEP} (exit $ec)." >&2
if [ -n "${BUILD_LOG:-}" ] && [ -f "${BUILD_LOG:-}" ]; then
echo " Build output is in: $BUILD_LOG — last lines:" >&2
tail -n 20 "$BUILD_LOG" >&2 2>/dev/null || true
fi
echo " Re-run with 'bash -x $0' to trace the exact command." >&2
}
# --- Global Variables ---
OS_TYPE="$(uname -s)"
# Resolve a path through any symlink chain and echo the directory that holds the real file (absolute).
# This is what lets an on-PATH symlink (e.g. /usr/local/bin/rigforge -> the checkout) still locate the
# repo it points into, so config.json / util/ / data/ resolve to the checkout, not the symlink's dir.
# Portable (no `readlink -f`, which BSD/macOS lacks): follow links one hop at a time.
_script_dir() {
local src="${1:-${BASH_SOURCE[0]}}" dir
while [ -L "$src" ]; do
dir=$(cd -P "$(dirname "$src")" &>/dev/null && pwd)
src=$(readlink "$src")
case "$src" in /*) ;; *) src="$dir/$src" ;; esac
done
cd -P "$(dirname "$src")" &>/dev/null && pwd
}
# Base directory for the script's bundled assets (VERSION, systemd/, util/) and its runtime state
# (config.json, data/, backups/). Defaults to the directory the script lives in — resolved through any
# symlink, so a normal deploy is unchanged AND a `rigforge` symlink on PATH still finds the repo.
# Overridable via RIGFORGE_HOME so the test suite can run THIS file against a throwaway sandbox
# (keeping per-test state isolated) instead of a copy of it, which lets coverage credit the real
# script for black-box runs too (#68).
SCRIPT_DIR="${RIGFORGE_HOME:-$(_script_dir)}"
# The operator to hand root-written files back to. Under interactive `sudo` that's SUDO_USER. The
# periodic autotune runs from systemd as root with NO SUDO_USER — so its unit bakes in RIGFORGE_OPERATOR
# (the operator captured at setup time), keeping the scheduled run from re-owning files to root.
REAL_USER="${SUDO_USER:-${RIGFORGE_OPERATOR:-${USER:-$(id -un)}}}"
CONFIG_JSON="$SCRIPT_DIR/config.json"
REBOOT_REQUIRED=false
SERVICE_INSTALLED=false
# Pinned XMRig release for reproducible / supply-chain-hardened builds.
# Override via environment if you need a different release.
XMRIG_VERSION="${XMRIG_VERSION:-v6.26.0}"
XMRIG_COMMIT="${XMRIG_COMMIT:-b2ca72480c58d197e18c885d9fc1a0c8d517e60a}"
# Set to false when the pinned XMRig commit is already built, so a re-run/upgrade skips the (slow)
# recompile and the service restart — making re-runs idempotent (#4).
XMRIG_REBUILD=true
# System paths the script writes to. Overridable so the test suite can redirect them at a sandbox
# (the defaults are the real locations, so production behaviour is unchanged).
LOGROTATE_DIR="${LOGROTATE_DIR:-/etc/logrotate.d}"
GRUB_DEFAULT="${GRUB_DEFAULT:-/etc/default/grub}"
FSTAB="${FSTAB:-/etc/fstab}"
LIMITS_CONF="${LIMITS_CONF:-/etc/security/limits.conf}"
MODULES_LOAD_DIR="${MODULES_LOAD_DIR:-/etc/modules-load.d}"
MODULES_FILE="${MODULES_FILE:-/etc/modules}"
SYSTEMD_DIR="${SYSTEMD_DIR:-/etc/systemd/system}"
HUGEPAGES_1G_DIR="${HUGEPAGES_1G_DIR:-/dev/hugepages1G}"
# Directory on PATH where `setup` installs the `rigforge` command (a symlink back to this script).
BIN_DIR="${BIN_DIR:-/usr/local/bin}"
# Read-only system paths the `doctor` health check inspects (overridable for tests).
MEMINFO="${MEMINFO:-/proc/meminfo}"
MSR_MODULE_DIR="${MSR_MODULE_DIR:-/sys/module/msr}"
GOVERNOR_FILE="${GOVERNOR_FILE:-/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor}"
HUGEPAGES_1G_NR="${HUGEPAGES_1G_NR:-/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages}"
# Hashrate-capping-hardware diagnostics (#67): RAM layout (dmidecode) + effective CPU clock under load.
DMIDECODE="${DMIDECODE:-dmidecode}"
RDMSR_BIN="${RDMSR_BIN:-rdmsr}" # msr-tools, for doctor's register-level MSR verification (#66)
CPUFREQ_MAX="${CPUFREQ_MAX:-/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq}"
CPU_SYSFS="${CPU_SYSFS:-/sys/devices/system/cpu}"
MIN_RAM_MTS="${MIN_RAM_MTS:-2666}" # warn below this configured RAM speed (MT/s)
MIN_CLOCK_PCT="${MIN_CLOCK_PCT:-75}" # warn when the loaded clock is below this % of max boost
# BIOS/firmware advisory (#78): board/BIOS identity + SMT state (both world-readable from sysfs).
DMI_DIR="${DMI_DIR:-/sys/class/dmi/id}"
SMT_CONTROL="${SMT_CONTROL:-/sys/devices/system/cpu/smt/control}"
# systemd service name for the worker.
SERVICE_NAME="${SERVICE_NAME:-xmrig}"
# Detect whether we're being sourced (e.g. by the test suite). When sourced we only define
# functions/constants and skip running main, so functions can be exercised in isolation.
_RIGFORGE_SOURCED=0
if [ "${BASH_SOURCE[0]}" != "${0}" ]; then _RIGFORGE_SOURCED=1; fi
# Report which step failed on an unexpected error (skip when sourced by the test suite).
[ "$_RIGFORGE_SOURCED" = "0" ] && trap on_err ERR
# --- Helpers: idempotent edits, build math & GRUB cmdline ---
# Append a single line to a file only if that exact line is not already present (idempotent).
# Uses sudo so it works on root-owned system files; harmless when the file is user-writable.
append_once() {
local file="$1" line="$2"
grep -qFx "$line" "$file" 2>/dev/null || echo "$line" | sudo tee -a "$file" >/dev/null
}
# Inverse of append_once: remove every exact-match line from a file (idempotent). Used by `uninstall`.
remove_line() { # <file> <line>
local file="$1" line="$2" tmp
[ -f "$file" ] || return 0
grep -qFx "$line" "$file" 2>/dev/null || return 0
tmp=$(mktemp)
grep -vFx "$line" "$file" >"$tmp" 2>/dev/null || true
sudo cp "$tmp" "$file"
rm -f "$tmp"
}
# Choose a safe build parallelism: don't exceed core count, and cap at ~1 job per 2 GB of RAM so the
# heavy XMRig/RandomX C++ translation units don't OOM low-memory hosts. Honors MEMINFO for testing.
compute_build_jobs() { # <ncpu>
local mem_kb mem_gb jobs="$1" max
mem_kb=$(awk '/^MemTotal:/ {print $2}' "${MEMINFO:-/proc/meminfo}" 2>/dev/null || echo 0)
mem_gb=$((mem_kb / 1024 / 1024))
if [ "$mem_gb" -gt 0 ]; then
max=$((mem_gb / 2))
[ "$max" -lt 1 ] && max=1
[ "$jobs" -gt "$max" ] && jobs="$max"
fi
[ "$jobs" -lt 1 ] && jobs=1
echo "$jobs"
}
# True if a finished XMRig build for the pinned commit already exists, so we can skip the recompile.
# Requires BOTH the built binary and a commit marker that matches XMRIG_COMMIT (a marker without a
# binary means an incomplete build → rebuild).
xmrig_already_built() {
local marker="$WORKER_ROOT/xmrig/.rigforge-commit"
[ -x "$WORKER_ROOT/xmrig/build/xmrig" ] && [ -f "$marker" ] && [ "$(cat "$marker" 2>/dev/null)" = "$XMRIG_COMMIT" ]
}
# Merge the HugePage/MSR kernel params we manage into an existing GRUB cmdline, preserving every
# other parameter and replacing only the ones we own (so re-runs don't accumulate). Echoes the merged
# cmdline. Usage: grub_merge_cmdline "<managed params>" "<current cmdline>"
grub_merge_cmdline() {
local managed="$1" current="$2" preserved="" tok
for tok in $current; do
case "$tok" in
hugepagesz=* | hugepages=* | default_hugepagesz=* | msr.allow_writes=*) ;; # ours — drop, re-added below
*) preserved="${preserved:+$preserved }$tok" ;;
esac
done
echo "${preserved:+$preserved }$managed"
}
# Drop only the kernel params RigForge manages (HugePages/MSR), preserving everything else. The inverse
# of what tune_kernel adds — used by `uninstall` to revert the GRUB cmdline.
grub_strip_managed() { # <current cmdline>
local current="$1" preserved="" tok
for tok in $current; do
case "$tok" in
hugepagesz=* | hugepages=* | default_hugepagesz=* | msr.allow_writes=*) ;; # ours — drop
*) preserved="${preserved:+$preserved }$tok" ;;
esac
done
printf '%s' "$preserved"
}
# --- Setup: prerequisites & configuration ---
check_prerequisites() {
log "Verifying system prerequisites..."
if ! command -v jq &>/dev/null; then
if [ "$OS_TYPE" == "Darwin" ]; then
if command -v brew &>/dev/null; then
log "Installing prerequisite: jq..."
brew install jq
else
error "Homebrew is required on macOS to install dependencies."
fi
else
log "Installing prerequisite: jq..."
if command -v apt-get &>/dev/null; then
# This is often the FIRST apt call on a fresh boot, so carry the same DPkg::Lock::Timeout
# as install_dependencies (#74) — otherwise an unattended-upgrades lock fails it outright.
sudo apt-get update -qq -o DPkg::Lock::Timeout=300 &&
sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq -o DPkg::Lock::Timeout=300 jq
elif command -v dnf &>/dev/null; then
sudo dnf install -y -q jq
elif command -v pacman &>/dev/null; then
sudo pacman -Sy --noconfirm jq
else
error "jq is required and no supported package manager was found. Please install jq manually."
fi
fi
fi
}
ensure_config_exists() {
if [ ! -f "$CONFIG_JSON" ]; then
warn "Configuration file not found: $CONFIG_JSON"
# `|| true`: on a non-interactive stdin (EOF) `read` returns non-zero, which would abort the run
# via the ERR trap; instead fall through to the clear "configuration required" error below.
read -r -p "Create a minimal configuration now? (y/N): " CREATE_CONF || true
if [[ "$CREATE_CONF" =~ ^[Yy] ]]; then
log "Starting interactive setup..."
# We only need the pool URL — every other key has a sensible default (see
# config.reference.json for the full list). The URL is host:port (Pithead's proxy
# listens on 3333).
read -r -p "Enter your pool URL (host:port, e.g. your-stack:3333): " IN_URL || true
if [ -z "$IN_URL" ]; then
error "A pool URL is required. Aborting."
fi
if ! [[ "$IN_URL" =~ :[0-9]+$ ]]; then
error "Pool URL must include a port, e.g. $IN_URL:3333. Aborting."
fi
# Validate the host now, the same way parse_config will in a moment — otherwise a host-less URL
# like ":3333" passes the port check, gets written, and then parse_config hard-errors on it,
# leaving a broken config.json on disk that suppresses this prompt on the re-run (the file now
# exists). Failing before the write keeps the user re-promptable.
_host="${IN_URL%:*}"
case "$_host" in
\[*\]) [[ "$_host" =~ ^\[[0-9A-Fa-f:]+\]$ ]] || error "Pool URL '$IN_URL' has an invalid IPv6 literal (use [addr]:port). Aborting." ;;
*) [[ "$_host" =~ ^[A-Za-z0-9]([A-Za-z0-9.-]*[A-Za-z0-9])?$ ]] || error "Pool URL host '$_host' is not a valid hostname or IP. Aborting." ;;
esac
# Minimal config: just the native pools array. jq writes it so the URL is safely quoted.
jq -n --arg url "$IN_URL" '{pools: [{url: $url}]}' >"$CONFIG_JSON"
_reown_worker # hand the freshly-created config.json to the operator, even if setup later fails
log "Created $CONFIG_JSON successfully."
# New-user safety net: the minimal config has no wallet, so a PUBLIC-pool miner who stops here
# would credit hashes to the hostname, not themselves — and nothing later (doctor included)
# flags it, since it's a pool-side auth detail. Pithead users correctly need no wallet.
warn "Mining to a PUBLIC pool (SupportXMR, etc.)? Add your Monero wallet as the pool \"user\" in"
warn "$CONFIG_JSON and run 'sudo $0 apply', or your hashes credit '$(hostname)', not you."
warn "Connecting to a Pithead stack instead? You're all set — no wallet needed."
else
error "Configuration file required to proceed."
fi
fi
}
parse_config() {
log "Parsing configuration..."
# A missing config (e.g. `apply`/`tune` before `setup`) is a different, clearer error than bad JSON.
if [ ! -f "$CONFIG_JSON" ]; then
error "No configuration at $CONFIG_JSON — run 'sudo $0 setup' first (it creates one on first run)."
fi
if ! jq -e . "$CONFIG_JSON" >/dev/null 2>&1; then
error "$CONFIG_JSON is not valid JSON."
fi
# HOME_DIR becomes a filesystem path we mkdir/cd/write under (with sudo), so validate it via the
# shared resolver (the same one the privileged uninstall/backup/restore use, so none of them can act
# on an unvalidated path).
RAW_HOME=$(jq -r '.HOME_DIR // "DYNAMIC_HOME"' "$CONFIG_JSON")
if ! WORKER_ROOT=$(_worker_root_for_home "$RAW_HOME"); then
error "HOME_DIR must be \"DYNAMIC_HOME\" or an absolute path (letters, digits, . _ - /); got: '$RAW_HOME'."
fi
DONATION=$(jq -r '.DONATION // 1' "$CONFIG_JSON")
# donate-level is a percentage; the compile step also seds this into donate.h, so a malformed
# value would corrupt both the XMRig config and the source patch. Require an integer 0-100.
if ! [[ "$DONATION" =~ ^[0-9]+$ ]] || [ "$DONATION" -gt 100 ]; then
error "DONATION must be an integer between 0 and 100 (got: $DONATION)."
fi
# Pool(s). The pool target is XMRig's native `pools` array — the same structure XMRig uses
# ({"url","user","pass","keepalive","tls",...}). Each entry needs a `url` of the form `host:port`;
# every other field falls back to a Pithead-friendly default. List multiple entries for failover.
# The pool `user` is left blank here and filled with the rig name in generate_xmrig_config.
if ! jq -e '.pools | type == "array" and length > 0' "$CONFIG_JSON" >/dev/null 2>&1; then
error "No pools configured. Set a 'pools' array in $CONFIG_JSON — e.g. {\"pools\": [{\"url\": \"your-pool-host:3333\"}]}."
fi
POOLS_JSON=$(jq -c '
.pools | map({
url: (.url // ""),
user: (.user // ""),
pass: (.pass // "x"),
keepalive: (.keepalive // true),
tls: (.tls // false),
enabled: (.enabled // true)
})
' "$CONFIG_JSON") || error "Could not parse 'pools' in $CONFIG_JSON."
# Validate every pool field — fail fast with a clear message rather than writing a config XMRig
# would choke on. url must be host:port: a valid hostname / IPv4 / bracketed-IPv6 host and a port
# in 1-65535; user/pass reject whitespace and shell/control characters; keepalive/tls/enabled
# must be booleans.
# Iterate one compact JSON object per pool (robust even when a field like user is empty), and read
# each field back with jq.
while IFS= read -r _pool; do
_u=$(jq -r '.url' <<<"$_pool")
_user=$(jq -r '.user' <<<"$_pool")
_pass=$(jq -r '.pass' <<<"$_pool")
[ -n "$_u" ] || error "A pool entry has no url — set 'pools[].url' (host:port) in $CONFIG_JSON."
if ! [[ "$_u" =~ :[0-9]+$ ]]; then
error "Pool url '$_u' must include a port, e.g. $_u:3333."
fi
_host="${_u%:*}"
_port="${_u##*:}"
if [ "$_port" -lt 1 ] || [ "$_port" -gt 65535 ]; then
error "Pool port must be between 1 and 65535 (got '$_port' in '$_u')."
fi
# The host must be a valid hostname / FQDN / IPv4, or a bracketed IPv6 literal. This also
# rejects the unfilled template placeholder (<...>), whitespace, and shell/URL metacharacters.
case "$_host" in
\[*\]) [[ "$_host" =~ ^\[[0-9A-Fa-f:]+\]$ ]] || error "Pool url '$_u' has an invalid IPv6 literal (use [addr]:port)." ;;
*) [[ "$_host" =~ ^[A-Za-z0-9]([A-Za-z0-9.-]*[A-Za-z0-9])?$ ]] || error "Pool url host '$_host' is not a valid hostname or IP." ;;
esac
if [ -n "$_user" ] && ! [[ "$_user" =~ ^[A-Za-z0-9._:@+-]+$ ]]; then
error "Pool user '$_user' has invalid characters (allowed: letters, digits, . _ - : @ +)."
fi
if ! [[ "$_pass" =~ ^[[:graph:]]+$ ]]; then
error "Pool pass must be non-empty with no spaces or control characters."
fi
for _f in keepalive tls enabled; do
_bv=$(jq -r --arg f "$_f" '.[$f]' <<<"$_pool")
case "$_bv" in true | false) ;; *) error "Pool $_f must be true or false (got: $_bv)." ;; esac
done
done < <(jq -c '.[]' <<<"$POOLS_JSON")
# HTTP API token (OPTIONAL). By default the rig's read-only xmrig API is left OPEN — no token.
# Pithead's stock contract is a no-auth probe of GET http://<rig>:8080/1/summary, so an
# untokened, `restricted` (read-only) API works out of the box. Set ACCESS_TOKEN to require a
# Bearer token instead — then match it on the dashboard side (Pithead `workers.api_auth: token`
# + `workers.api_token`; or `name` if you set ACCESS_TOKEN to the rig name). See
# docs/pithead-integration.md.
ACCESS_TOKEN=$(jq -r '.ACCESS_TOKEN // empty' "$CONFIG_JSON")
# When set, the token is sent as an HTTP Authorization header, so keep it to safe, header-clean
# characters. Empty is allowed and means "open API" (the default).
if [ -n "$ACCESS_TOKEN" ] && ! [[ "$ACCESS_TOKEN" =~ ^[A-Za-z0-9._:@+-]+$ ]]; then
error "ACCESS_TOKEN has invalid characters (allowed: letters, digits, . _ - : @ +): '$ACCESS_TOKEN'."
fi
# Opt-in periodic live auto-tuning (#46, #95): tri-state. "disabled" (default) installs no timer;
# "performance" schedules a periodic tune for raw H/s; "efficiency" schedules one for hashrate-per-watt.
# Legacy booleans still parse (true -> performance, false -> disabled); a typo hard-errors rather than
# silently disabling tuning. AUTOTUNE_TARGET (perf|efficiency) is what autotune() and the unit consume.
_at=$(jq -r '.autotune // "disabled"' "$CONFIG_JSON")
case "$_at" in
disabled | false | off | none | null | "") AUTOTUNE_MODE=disabled ;;
performance | perf | true | on) AUTOTUNE_MODE=performance ;;
efficiency | eff) AUTOTUNE_MODE=efficiency ;;
*) error "Invalid \"autotune\" value '$_at' in config.json — use \"disabled\", \"performance\", or \"efficiency\"." ;;
esac
case "$AUTOTUNE_MODE" in efficiency) AUTOTUNE_TARGET=efficiency ;; *) AUTOTUNE_TARGET=perf ;; esac
# Opt-in: install a `rigforge` command on PATH (a symlink in BIN_DIR). Off by default — setup makes
# no system-wide convenience change you didn't ask for.
ADD_TO_PATH=$(jq -r '.add_to_path // false' "$CONFIG_JSON")
}
# --- Setup: workspace & dependency install ---
prepare_workspace() {
log "Preparing workspace at $WORKER_ROOT..."
if [ ! -d "$WORKER_ROOT" ]; then
mkdir -p "$WORKER_ROOT" 2>/dev/null || sudo mkdir -p "$WORKER_ROOT"
fi
# Fix permissions to ensure the current user can write
if [ "${EUID:-$(id -u)}" -eq 0 ] || [ ! -w "$WORKER_ROOT" ]; then
if [ "$OS_TYPE" == "Darwin" ]; then
sudo chown -R "$REAL_USER" "$WORKER_ROOT"
else
sudo chown -R "$REAL_USER":"$REAL_USER" "$WORKER_ROOT"
fi
fi
cd "$WORKER_ROOT"
GIT_DIR="xmrig"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
# Archive the existing installation only when we're about to rebuild (a no-op re-run keeps it).
if [ "$XMRIG_REBUILD" = true ] && [ -d "$GIT_DIR" ]; then
log "Archiving existing worker installation..."
mv "$GIT_DIR" "${GIT_DIR}-${TIMESTAMP}"
fi
# Prune old build archives so re-runs don't grow the disk without bound (keep the most recent
# few). Override the retention count with KEEP_ARCHIVES. The `|| true` keeps an empty glob (no
# archives yet) from tripping `set -e`/`pipefail`.
local keep="${KEEP_ARCHIVES:-3}" archives
# shellcheck disable=SC2012 # archive names are controlled (xmrig-YYYYmmdd_HHMMSS); ls -t orders by recency
archives="$(ls -dt "${GIT_DIR}-"* 2>/dev/null || true)"
if [ -n "$archives" ]; then
printf '%s\n' "$archives" | tail -n +"$((keep + 1))" | while IFS= read -r old; do
[ -n "$old" ] || continue
log "Pruning old build archive: $(basename "$old")"
rm -rf "$old" 2>/dev/null || sudo rm -rf "$old"
done
fi
}
install_dependencies() {
if [ "$OS_TYPE" == "Darwin" ]; then
log "Installing macOS dependencies..."
if command -v brew &>/dev/null; then
if [ "${EUID:-$(id -u)}" -eq 0 ]; then
# Drop privileges for Homebrew if running as root
sudo -u "$REAL_USER" brew install cmake libuv openssl hwloc
else
brew install cmake libuv openssl hwloc
fi
else
error "Homebrew not found."
fi
else
local dependencies=""
local install_cmd=""
local check_cmd=""
if command -v apt-get &>/dev/null; then
dependencies="git build-essential cmake libuv1-dev libssl-dev libhwloc-dev gettext-base"
if [ "$OS_TYPE" == "Linux" ]; then
# msr-tools (rdmsr): lets `doctor` verify the prefetcher MSR mod actually applied (#66).
dependencies="$dependencies linux-tools-common msr-tools"
if apt-cache show "linux-tools-$(uname -r)" &>/dev/null; then
dependencies="$dependencies linux-tools-$(uname -r)"
fi
fi
# DPkg::Lock::Timeout waits for the apt/dpkg lock instead of failing — fresh boots often have
# unattended-upgrades holding it for a minute or two (#74).
install_cmd="sudo apt-get update -qq -o DPkg::Lock::Timeout=300 && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq -o DPkg::Lock::Timeout=300 -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold'"
check_cmd="dpkg -s"
elif command -v dnf &>/dev/null; then
dependencies="git cmake libuv-devel openssl-devel hwloc-devel gettext gcc gcc-c++ make automake kernel-devel msr-tools"
install_cmd="sudo dnf install -y"
check_cmd="rpm -q"
elif command -v pacman &>/dev/null; then
dependencies="git cmake libuv openssl hwloc gettext base-devel"
install_cmd="sudo pacman -Sy --noconfirm --needed"
check_cmd="pacman -Qi"
else
warn "No supported package manager found. Please install dependencies manually."
return
fi
# $dependencies are PACKAGE names (build-essential, libuv1-dev, gettext-base — most have no
# same-named binary), so the package manager is the authority for "is it installed", not
# `command -v` (which would both miss header-only -dev packages and let an unrelated PATH binary
# mask a genuinely-absent package). Query $check_cmd only.
local missing_deps=""
for dep in $dependencies; do
if ! $check_cmd "$dep" &>/dev/null; then
missing_deps="$missing_deps $dep"
fi
done
if [ -n "$missing_deps" ]; then
# `setup` is an automated provisioner (often run headless / over the release e2e), so install
# the build dependencies non-interactively rather than prompting — an interactive `read` here
# hit EOF and aborted the whole run under `set -e` on a non-tty stdin (#74).
log "Installing required system dependencies:"
echo -e " ${C_YELLOW}$missing_deps${C_RESET}"
eval "$install_cmd $missing_deps"
else
log "All system dependencies are already installed."
fi
fi
}
# --- Setup: build XMRig from source ---
compile_xmrig() {
if [ "$XMRIG_REBUILD" != true ]; then
log "XMRig $XMRIG_VERSION (commit ${XMRIG_COMMIT:0:12}) already built — skipping clone/compile."
# Enter the build dir the rebuild path also ends in, so generate_xmrig_config (which writes a
# relative config.json) emits it where the service actually reads it: --config=$BUILD_DIR/config.json
# with BUILD_DIR=$WORKER_ROOT/xmrig/build. Without this, a no-rebuild setup re-run would drop the
# regenerated config.json in $WORKER_ROOT and the miner would keep loading the stale build/config.json
# — config edits would silently never take effect. The dir is guaranteed to exist here (a no-rebuild
# decision requires the built binary under it). `apply` and the rebuild path already cd here.
cd "$WORKER_ROOT/xmrig/build"
return 0
fi
log "Cloning and patching XMRig source code ($XMRIG_VERSION)..."
# Remove any partial/stale clone an interrupted or commit-mismatched prior run left behind — otherwise
# `git clone` aborts with "destination path 'xmrig' already exists and is not empty".
rm -rf xmrig
git clone --quiet --branch "$XMRIG_VERSION" --depth 1 https://github.com/xmrig/xmrig.git
# Verify we built the exact commit we pinned (supply-chain hardening). On a mismatch, drop the clone so
# the next run starts clean rather than tripping the not-empty error above.
actual="$(git -C xmrig rev-parse HEAD)"
[ "$actual" = "$XMRIG_COMMIT" ] || {
rm -rf xmrig
error "XMRig commit mismatch: expected $XMRIG_COMMIT, got $actual"
}
log "Verified XMRig $XMRIG_VERSION at commit $XMRIG_COMMIT"
# Build output goes to a logfile (not /dev/null) so a failed compile is diagnosable; the ERR trap
# points the user at it. BUILD_LOG is global so on_err can find it.
BUILD_LOG="$WORKER_ROOT/build.log"
: >"$BUILD_LOG" 2>/dev/null || true
local cores jobs
if [ "$OS_TYPE" == "Darwin" ]; then
sed -i '' "s/DonateLevel = 1;/DonateLevel = $DONATION;/g" xmrig/src/donate.h
cores=$(sysctl -n hw.ncpu)
jobs=$(compute_build_jobs "$cores")
log "Compiling binary ($jobs of $cores cores; output -> $BUILD_LOG)..."
mkdir -p xmrig/build && cd xmrig/build
# macOS often needs explicit OpenSSL root for cmake if installed via brew
cmake .. -DWITH_HWLOC=ON -DOPENSSL_ROOT_DIR="$(brew --prefix openssl)" >>"$BUILD_LOG" 2>&1
else
sed -i "s/DonateLevel = 1;/DonateLevel = $DONATION;/g" xmrig/src/donate.h
cores=$(nproc)
jobs=$(compute_build_jobs "$cores")
log "Compiling binary ($jobs of $cores cores; output -> $BUILD_LOG)..."
mkdir -p xmrig/build && cd xmrig/build
cmake .. -DWITH_HWLOC=ON >>"$BUILD_LOG" 2>&1
fi
make -j"$jobs" >>"$BUILD_LOG" 2>&1
# Record the built commit so a later run can detect "already built" and skip the recompile (#4).
echo "$XMRIG_COMMIT" >"$WORKER_ROOT/xmrig/.rigforge-commit"
}
# --- Setup: XMRig config generation (CPU / NUMA / MSR layout) ---
generate_xmrig_config() {
log "Generating hardware-optimized XMRig configuration..."
# Identify CPU Topology
if [ "$OS_TYPE" == "Darwin" ]; then
CPU_MODEL=$(sysctl -n machdep.cpu.brand_string)
else
# Anchor to "^Model name:" — as root, lscpu also prints a "BIOS Model name:" line (a DMI string
# like "... Unknown CPU @ 4.2GHz"), and an unanchored grep would concatenate both into one line.
CPU_MODEL=$(lscpu | grep -E '^Model name:' | cut -d':' -f2 | xargs)
fi
LOG_FILE_PATH="$WORKER_ROOT/xmrig.log"
# Default optimization profile.
#
# We deliberately lean on XMRig's own auto-detection rather than matching CPU model names: with
# asm=auto, rx=-1 (auto thread count, sized to L3) and wrmsr=true, XMRig picks the right assembly
# path, thread layout and per-family MSR preset from the detected topology — and stays correct for
# CPUs we'd never enumerate (new Zen/X3D SKUs, Intel hybrid P/E cores, etc.). See issue #44.
#
# On top of auto-detection we set defaults appropriate for a DEDICATED miner (issue #43):
# - yield=false : busy-wait for maximum hashrate (we own the whole box)
# - priority=2 : win scheduling vs. background daemons (XMRig warns >2 can hang a desktop)
# - numa=true : XMRig default; a no-op on single-socket, essential on multi-socket/EPYC
# - init-avx2=-1 : auto — already uses AVX2 for dataset init when the CPU supports it
YIELD="false"
PRIORITY="2"
ASM="\"auto\""
THREADS="-1"
NUMA="true"
PREFETCH=1
WRMSR="true"
RDMSR="true"
HUGE_PAGES="true"
MEMORY_POOL="true"
ONE_GB_PAGES="true"
# cpu.huge-pages-jit: false, matching XMRig's upstream default. XMRig documents it as only a "very
# small boost on Ryzen, but hashrate is unstable" — not worth the jitter on a production rig (and it
# would add noise to the `tune` search). $JIT maps to cpu.huge-pages-jit in the config below.
JIT="false"
INIT_AVX2="-1"
# Lock down the HTTP API to READ-ONLY (restricted) so it can't be used to *control* the miner
# remotely. Keep it bound to all interfaces, NOT localhost: Pithead reads per-rig stats from the
# stack host via GET http://<rig>:8080/1/summary (read-only; OPEN by default — see ACCESS_TOKEN
# above). Binding localhost would break that integration — see issue #24. Workers are expected to
# live on a trusted LAN, which is why a read-only API with no token is a safe default there.
HTTP_RESTRICTED="true"
HTTP_HOST="0.0.0.0"
# macOS Specific Overrides (only the values that differ from the shared defaults above)
if [ "$OS_TYPE" == "Darwin" ]; then
ASM="true"
WRMSR="false"
RDMSR="false"
HUGE_PAGES="false"
MEMORY_POOL="false"
ONE_GB_PAGES="false"
HTTP_HOST="::"
# Generate rx array [-1, -1, ...] based on core count
CORES=$(sysctl -n hw.ncpu)
THREADS="["
for ((i = 0; i < CORES; i++)); do
THREADS="${THREADS}-1"
if [ $i -lt $((CORES - 1)) ]; then THREADS="${THREADS},"; fi
done
THREADS="${THREADS}]"
fi
# NOTE: we no longer special-case CPUs by model name (the old EPYC / Ryzen-X3D branches). XMRig's
# auto-config is cache-aware and updated every release, so it sizes threads and picks asm/MSR/NUMA
# better — and correctly — for any CPU, including ones a name table would miss or get wrong (the
# old X3D branch pinned threads to ALL cores, which is wrong on dual-CCD parts like the 7950X3D
# where only one CCD has the V-cache). See issue #44.
if [ "$OS_TYPE" != "Darwin" ]; then
log "Detected CPU: ${CPU_MODEL:-unknown} — using XMRig auto-tuning (threads, asm, MSR, NUMA auto-detected)."
fi
# Rig label for the pool `user` field (#22): any pool entry that didn't set its own `user` gets the
# machine hostname, so the worker shows up named on the dashboard.
FULL_USER="$(hostname)"
# Build the whole XMRig config from scratch (issue #55). There's no template file to keep in sync:
# the tuned parts (pools, donate-level, the http block, the cpu/randomx sections) come from the
# variables above, and the few static defaults (autosave, randomx mode, opencl/cuda off) are
# emitted inline. `jq -n` builds the object from null input; any tuned overrides are merged below.
jq -n --argjson pools "$POOLS_JSON" \
--arg user "$FULL_USER" \
--arg access_token "$ACCESS_TOKEN" \
--arg log "$LOG_FILE_PATH" \
--argjson yield "$YIELD" \
--argjson prio "$PRIORITY" \
--argjson numa "$NUMA" \
--argjson asm "$ASM" \
--argjson rx "$THREADS" \
--argjson prefetch "$PREFETCH" \
--argjson jit "$JIT" \
--argjson wrmsr "$WRMSR" \
--argjson rdmsr "$RDMSR" \
--argjson huge_pages "$HUGE_PAGES" \
--argjson memory_pool "$MEMORY_POOL" \
--argjson one_gb_pages "$ONE_GB_PAGES" \
--argjson avx2 "$INIT_AVX2" \
--argjson restricted "$HTTP_RESTRICTED" \
--argjson donation "$DONATION" \
--arg host "$HTTP_HOST" \
'{
autosave: true,
cpu: {
enabled: true,
"huge-pages": $huge_pages,
"huge-pages-jit": $jit,
"memory-pool": $memory_pool,
yield: $yield,
priority: $prio,
asm: $asm,
rx: $rx
},
randomx: {
init: -1,
mode: "fast",
"1gb-pages": $one_gb_pages,
rdmsr: $rdmsr,
wrmsr: $wrmsr,
cache_qos: false,
numa: $numa,
scratchpad_prefetch_mode: $prefetch,
"init-avx2": $avx2
},
pools: ($pools | map(.user = (if (.user // "") == "" then $user else .user end))),
"donate-level": $donation,
"donate-over-proxy": $donation,
http: {
enabled: true,
host: $host,
port: 8080,
"access-token": (if $access_token == "" then null else $access_token end),
restricted: $restricted
},
opencl: false,
cuda: false,
"log-file": $log
}' >config.json
# Overlay any tuned knobs (#46) on top — kept in a separate file (written by `tune`) so the user's
# config.json is never touched. A recursive merge lets tuning win for just the keys it sets.
if [ -f "$WORKER_ROOT/tune-overrides.json" ]; then
local _ovr
_ovr=$(mktemp)
if jq -s '.[0] * .[1]' config.json "$WORKER_ROOT/tune-overrides.json" >"$_ovr" 2>/dev/null; then
mv "$_ovr" config.json
log "Applied tuned overrides from tune-overrides.json."
else
rm -f "$_ovr"
fi
fi
# The live config holds the pool/wallet and the API token, so keep it owner-only (a root `jq`
# redirect would otherwise leave it world-readable). _reown_worker hands ownership to the operator
# later; chmod here is preserved across that chown, and root (the service) reads it regardless.
chmod 600 config.json
if [ "$OS_TYPE" == "Linux" ]; then
log "Configuring log rotation policy..."
# Install logrotate configuration
sudo tee "$LOGROTATE_DIR/xmrig" >/dev/null <<EOF
$LOG_FILE_PATH {
daily
missingok
rotate 7
compress
delaycompress
notifempty
copytruncate
minsize 50M
create 0644 $REAL_USER $REAL_USER
}
EOF
fi
}
# --- Setup: service, kernel tuning & deployment ---
install_service() {
if [ "$OS_TYPE" == "Linux" ]; then
log "Installing systemd service..."
export BUILD_DIR="$WORKER_ROOT/xmrig/build"
CPUPOWER_PATH=$(command -v cpupower || echo "/usr/bin/cpupower")
export CPUPOWER_PATH
# Overwrite the existing file. Only the three named vars are substituted; WORKER_ROOT is passed
# into envsubst's environment for that one command (the template uses it in ReadWritePaths).
WORKER_ROOT="$WORKER_ROOT" envsubst '$BUILD_DIR $CPUPOWER_PATH $WORKER_ROOT' \
<"$SCRIPT_DIR/systemd/xmrig.service.template" | sudo tee "$SYSTEMD_DIR/xmrig.service" >/dev/null
# Reload systemd daemon
sudo systemctl daemon-reload
# Enable service to start on boot
sudo systemctl enable xmrig.service
if [ "$REBOOT_REQUIRED" = true ]; then
# HugePages aren't reserved until the GRUB change takes effect on reboot — starting the miner
# now would run it DEGRADED (no huge-page backing, Restart=always churn) until then. So only
# enable it; it starts automatically after the reboot. (#audit A2)
log "Service enabled — it will start automatically after you reboot."
elif [ "$XMRIG_REBUILD" = true ]; then
# Restart only when the binary was rebuilt; otherwise just ensure it's running (a running
# service is left undisturbed on a no-op re-run).
log "Restarting XMRig service..."
sudo systemctl restart xmrig.service
else
log "No rebuild — ensuring the service is running (no restart)."
sudo systemctl start xmrig.service
fi
SERVICE_INSTALLED=true
else
warn "Service installation is not supported on $OS_TYPE."
fi
}
# Install (or remove) the systemd timer that runs `autotune` periodically, based on the `autotune`
# config flag (#46). Idempotent: toggling the flag off cleanly removes the timer.
install_autotune() {
[ "$OS_TYPE" == "Linux" ] || return 0
local svc="$SYSTEMD_DIR/rigforge-autotune.service" tmr="$SYSTEMD_DIR/rigforge-autotune.timer"
if [ "${AUTOTUNE_MODE:-disabled}" = "disabled" ]; then
if [ -f "$tmr" ]; then
sudo systemctl disable --now rigforge-autotune.timer 2>/dev/null || true
sudo rm -f "$svc" "$tmr"
sudo systemctl daemon-reload 2>/dev/null || true
log "Periodic autotune disabled."
fi
return 0
fi
log "Enabling periodic autotune: $(_autotune_desc "$AUTOTUNE_MODE"), runs ${AUTOTUNE_ONCALENDAR:-monthly}..."
# Render the unit templates from systemd/ (kept alongside xmrig.service.template, not inline). The
# service bakes in RIGFORGE_OPERATOR=$REAL_USER so the root timer hands files back to the operator,
# and AUTOTUNE_TARGET (#95) so the scheduled run optimizes for the target the operator chose.
SERVICE_NAME="$SERVICE_NAME" RIGFORGE_OPERATOR="$REAL_USER" SCRIPT_DIR="$SCRIPT_DIR" AUTOTUNE_TARGET="${AUTOTUNE_TARGET:-perf}" \
envsubst '$SERVICE_NAME $RIGFORGE_OPERATOR $SCRIPT_DIR $AUTOTUNE_TARGET' \
<"$SCRIPT_DIR/systemd/rigforge-autotune.service.template" | sudo tee "$svc" >/dev/null
AUTOTUNE_ONCALENDAR="${AUTOTUNE_ONCALENDAR:-monthly}" \
envsubst '$AUTOTUNE_ONCALENDAR' \
<"$SCRIPT_DIR/systemd/rigforge-autotune.timer.template" | sudo tee "$tmr" >/dev/null
sudo systemctl daemon-reload
sudo systemctl enable --now rigforge-autotune.timer 2>/dev/null || true
}
tune_kernel() {
if [ "$OS_TYPE" != "Linux" ]; then
log "Skipping kernel tuning (Not supported on $OS_TYPE)."
return
fi
if [[ "$(uname -m)" == "x86_64" || "$(uname -m)" == "i686" ]]; then
log "Enabling MSR module for hardware prefetcher tuning..."
sudo modprobe msr 2>/dev/null || true
if [ -d "$MODULES_LOAD_DIR" ]; then
echo "msr" | sudo tee "$MODULES_LOAD_DIR/msr.conf" >/dev/null
elif [ -f "$MODULES_FILE" ]; then
append_once "$MODULES_FILE" "msr"
fi
fi
# #65: size the HugePages reservation for the thread count we'll actually run — the tuned cpu.rx if
# `tune` pinned one (so setup + tune stay consistent), or an explicit RIGFORGE_THREADS override (the
# documented resize-then-re-tune path). Empty => proposed-grub.sh falls back to its L3 estimate.
RX_SETUP_THREADS=""
if [ -n "${RIGFORGE_THREADS:-}" ]; then
RX_SETUP_THREADS="$RIGFORGE_THREADS"
elif [ -f "$WORKER_ROOT/tune-overrides.json" ]; then
RX_SETUP_THREADS=$(jq -r '.cpu.rx // empty' "$WORKER_ROOT/tune-overrides.json" 2>/dev/null) || RX_SETUP_THREADS=""
fi
case "$RX_SETUP_THREADS" in -1 | '' | *[!0-9]*) RX_SETUP_THREADS="" ;; esac
[ -n "$RX_SETUP_THREADS" ] && log "Sizing the HugePages reservation for $RX_SETUP_THREADS mining thread(s) (#65)."
log "Applying runtime memory tuning..."
if [ -f "$SCRIPT_DIR/util/proposed-grub.sh" ]; then
# Calculate exact requirement based on hardware, the tuned thread count, and 1GB page status
REQUIRED_PAGES=$(RX_THREADS="$RX_SETUP_THREADS" "$SCRIPT_DIR/util/proposed-grub.sh" --runtime)
log "Hardware-optimized HugePages: $REQUIRED_PAGES (2MB pages) calculated."
sudo sysctl -w vm.nr_hugepages="$REQUIRED_PAGES"
else
# Fallback when proposed-grub.sh is missing: 3072 × 2MB = 6 GB of huge pages — enough for the
# ~2.3 GB RandomX dataset plus per-thread scratchpads on a large desktop/server, without over-
# reserving on smaller hosts. proposed-grub.sh computes an exact, hardware-sized value instead.
warn "Utility script not found. Fallback to safe default (3072)."
sudo sysctl -w vm.nr_hugepages=3072
fi
log "Configuring bootloader (GRUB) for persistent HugePages..."
if [ -f "$SCRIPT_DIR/util/proposed-grub.sh" ] && [ -f "$GRUB_DEFAULT" ]; then
# proposed-grub.sh prints a generic "quiet splash" prefix plus the HugePage/MSR params we
# manage. Keep only the params we manage and MERGE them into the existing cmdline so we don't
# clobber other kernel parameters the user/distro set (#19 — boot-safety).
MANAGED=$(RX_THREADS="$RX_SETUP_THREADS" "$SCRIPT_DIR/util/proposed-grub.sh" -q)
MANAGED="${MANAGED#quiet splash }"
CURRENT=$(sed -n 's/^GRUB_CMDLINE_LINUX_DEFAULT="\(.*\)"$/\1/p' "$GRUB_DEFAULT" | head -n1)
MERGED=$(grub_merge_cmdline "$MANAGED" "$CURRENT")
if [ "$CURRENT" = "$MERGED" ]; then
log "GRUB is already configured with optimal HugePages settings."
else
sudo cp "$GRUB_DEFAULT" "$GRUB_DEFAULT.bak"
sudo sed -i "s|^GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT=\"$MERGED\"|" "$GRUB_DEFAULT"
if command -v update-grub >/dev/null; then
sudo update-grub
REBOOT_REQUIRED=true
else
warn "'update-grub' not found. Please manually update your bootloader."
fi
fi
else
warn "Skipping GRUB updates (Utility not found or non-GRUB system)."
fi
}
configure_limits() {
if [ "$OS_TYPE" != "Linux" ]; then
return
fi
log "Configuring persistent HugePage mounts and memory limits..."
sudo mkdir -p "$HUGEPAGES_1G_DIR"
# Configure fstab for HugePage mounts (Idempotent)
append_once "$FSTAB" "hugetlbfs /dev/hugepages hugetlbfs defaults 0 0"
append_once "$FSTAB" "hugetlbfs_1g $HUGEPAGES_1G_DIR hugetlbfs pagesize=1G 0 0"
sudo mount -a || warn "Mount operation returned errors. Check 'dmesg' for details."
# Configure security limits for memlock (idempotent). Scope it to the mining user instead of every
# account ("*") — the systemd service runs as root with its own LimitMEMLOCK=infinity, so this
# entry only needs to cover manual/interactive runs by the operator (#13).
append_once "$LIMITS_CONF" "$REAL_USER soft memlock unlimited"
append_once "$LIMITS_CONF" "$REAL_USER hard memlock unlimited"
}
# Put a `rigforge` command on PATH: a symlink in BIN_DIR pointing at this script, so the operator can
# run `sudo rigforge <cmd>` from anywhere instead of `./rigforge.sh`. OPT-IN via `add_to_path` in
# config.json (off by default). Best-effort and idempotent — it never fails the deploy. `uninstall`
# removes it regardless, but only while it's still our symlink.
link_cli() {
[ "${ADD_TO_PATH:-false}" = "true" ] || return 0
local target="$SCRIPT_DIR/rigforge.sh" link="$BIN_DIR/rigforge"
if [ ! -d "$BIN_DIR" ]; then
warn "Skipped the 'rigforge' command — $BIN_DIR doesn't exist. Run it as './rigforge.sh' instead."
return 0
fi
if [ -L "$link" ] && [ "$(readlink "$link" 2>/dev/null)" = "$target" ]; then
return 0 # already our symlink — keep idempotent re-runs quiet
fi
if [ -e "$link" ] && [ ! -L "$link" ]; then
warn "Didn't add the 'rigforge' command — $link already exists and isn't a RigForge symlink."
return 0
fi
# Use sudo only when BIN_DIR isn't writable (it is when setup runs as root on Linux); empty prefix
# otherwise. shellcheck SC2086: the unquoted prefix is intentional (it must vanish when empty).
local sudo_pfx=""
[ -w "$BIN_DIR" ] || sudo_pfx="sudo"
# shellcheck disable=SC2086
if $sudo_pfx rm -f "$link" 2>/dev/null && $sudo_pfx ln -s "$target" "$link" 2>/dev/null; then
log "Installed the 'rigforge' command -> $link (try: 'sudo rigforge doctor' from anywhere)."
else
warn "Couldn't add the 'rigforge' command at $link (permissions?). Run it as './rigforge.sh' instead."
fi
}
finish_deployment() {
echo ""
log "--------------------------------------------------------"
log "Deployment Complete."
if [ "$REBOOT_REQUIRED" = true ]; then
warn "ACTION REQUIRED: A system reboot is mandatory to enable HugePages."
echo "Please run: 'sudo reboot' now."
else
log "Worker configured successfully. No reboot required."
fi
log "--------------------------------------------------------"
echo ""
if [ "$SERVICE_INSTALLED" = true ]; then
if [ "$REBOOT_REQUIRED" = true ]; then
log "Service enabled — it starts automatically after the reboot above (then: $0 status / logs)."
else
log "Service created. xmrig running in background (check: $0 status / logs)."
fi
else
log "Start the miner with:"
echo " $0 start # then: $0 status / logs / stop"
fi
}
# --- Orchestration: main (setup) ---
# Decide whether the pinned XMRig needs (re)building. Call after parse_config (needs WORKER_ROOT).
decide_rebuild() {
if xmrig_already_built; then
XMRIG_REBUILD=false
log "XMRig $XMRIG_VERSION already built at the pinned commit — recompile will be skipped."
else
XMRIG_REBUILD=true
fi
}
# Re-own everything written as root back to the invoking operator. setup/upgrade/tune/apply/restore write
# files under WORKER_ROOT as root (the XMRig build, the generated config, logs, tune-overrides), and the
# first-run config.json is created as root under `sudo` — leaving a tree the operator can't edit, re-run
# `setup` over without sudo, or `git clean`. Reconcile ownership once at the end of each such command,
# rather than chmod-ing every individual `sudo cp`/`tee`. No-op unless we're root on Linux/macOS.
_reown_worker() {
[ "$(id -u)" -eq 0 ] || return 0
local owner
case "$OS_TYPE" in
Linux) owner="$REAL_USER:$REAL_USER" ;;
Darwin) owner="$REAL_USER" ;;
*) return 0 ;;
esac
if [ -n "${WORKER_ROOT:-}" ] && [ -e "$WORKER_ROOT" ]; then sudo chown -R "$owner" "$WORKER_ROOT" 2>/dev/null || true; fi
if [ -f "$CONFIG_JSON" ]; then sudo chown "$owner" "$CONFIG_JSON" 2>/dev/null || true; fi
}
main() {
CURRENT_STEP="verifying prerequisites"
check_prerequisites
CURRENT_STEP="ensuring config exists"
ensure_config_exists
CURRENT_STEP="parsing config"
parse_config
CURRENT_STEP="checking the build"
decide_rebuild
CURRENT_STEP="preparing workspace"
prepare_workspace
CURRENT_STEP="installing dependencies"
install_dependencies
CURRENT_STEP="compiling XMRig"
compile_xmrig
CURRENT_STEP="generating XMRig config"
generate_xmrig_config
CURRENT_STEP="tuning the kernel"
tune_kernel
CURRENT_STEP="configuring limits"
configure_limits
CURRENT_STEP="installing the service"
install_service
CURRENT_STEP="configuring autotune"
install_autotune
CURRENT_STEP="linking the rigforge command"
link_cli # opt-in (add_to_path): put `rigforge` on PATH so the operator can run it from anywhere
CURRENT_STEP="reconciling file ownership"
_reown_worker # hand the build/config/logs back to the operator so they can edit + re-run without sudo