scripts/fleet-fips-pair.sh writes a deterministic /etc/fips/fips.yaml
on each of our 4 dev fleet nodes (.116/.198/.228/.253), listing the
other three as static FIPS peers over their LAN IPs (UDP 2121 / TCP
8443). Also flips `node.identity.persistent: true` so the npub stays
stable across restarts — without this the daemon rolls a new keypair
on every restart and federation invites that carried the previous
npub go stale.
The script is NOT the general deployment mechanism:
- Every archipelago install already ships fips.v0l.io as an anchor
peer, so any node can DHT-route to any npub that has ever announced
on the public mesh.
- Federation invites (v1.4+) carry the peer's fips_npub, so accepting
an invite is enough for crate::fips::dial::peer_base_url(npub) to
reach the peer through the anchor network.
- This script is a LAN fast-path optimization so intra-fleet traffic
stays on the wire instead of bouncing through fips.v0l.io.
Usage:
scripts/fleet-fips-pair.sh # apply to all nodes
scripts/fleet-fips-pair.sh --verify # print current peer state
Verified: all 4 fleet nodes now report 3 authenticated peers each
(their 3 fleet siblings), plus fips.v0l.io in the identity cache.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
bcd9b9aa56