feat(nitro): complete Nitro/Orbit chain deployment support

Major improvements to Nitro orchestrator for production deployments:

Orchestrator (orchestrator.go):
- Enhanced state machine for deployment stages
- Better error handling and recovery
- Improved progress tracking and logging
- Support for Celestia DA configuration

Deployer (deployer.go):
- Complete L1 contract deployment flow
- Chain configuration generation
- Genesis file creation
- Rollup contract interaction

Config (config.go):
- Celestia DA provider configuration
- POPSigner mTLS endpoint settings
- Batch poster and staker address management
- Chain parameter validation

Bundle (bundler.go, nitro.go):
- Docker Compose generation for Nitro + Celestia
- Environment template generation
- Certificate bundle packaging
- README and documentation generation

Handler (handler.go):
- API endpoints for deployment management
- Artifact download endpoints
- Status and progress endpoints

This enables full Nitro/Orbit chain deployments via Popkins.

Author: Bidon15

control-plane/cmd/server/main.go

@@ -167,16 +167,23 @@ func main() {
 		nitroMTLSEndpoint = "https://51.15.112.44:8546"
 	}
 
+	// Initialize Nitro infrastructure repository (stores deployed RollupCreator addresses)
+	nitroInfraRepo := repository.NewNitroInfrastructureRepository(db.Pool())
+
 	nitroOrch := nitro.NewOrchestrator(
 		bootstrapRepo,
 		nitroCertProvider,
 		nitro.OrchestratorConfig{
 			Logger:                logger,
 			WorkerPath:            "internal/bootstrap/nitro/worker",
 			POPSignerMTLSEndpoint: nitroMTLSEndpoint,
+			NitroInfraRepo:        nitroInfraRepo,
 		},
 	)
-	logger.Info("Nitro orchestrator initialized", slog.String("mtls_endpoint", nitroMTLSEndpoint))
+	logger.Info("Nitro orchestrator initialized",
+		slog.String("mtls_endpoint", nitroMTLSEndpoint),
+		slog.Bool("infra_repo_enabled", true),
+	)
 
 	// Initialize key resolver and API key manager for orchestrator
 	keyResolver := bootstraporchestrator.NewKeyServiceResolver(keySvc)

control-plane/internal/bootstrap/bundle/bundler.go

@@ -138,12 +138,17 @@ func (b *Bundler) buildBundleConfig(deployment *repository.Deployment, artifacts
 		cfg.Artifacts[a.ArtifactType] = a.Content
 	}
 
+	// Extract ready-to-use .env file if present (from env_file artifact)
+	if envFileData, ok := cfg.Artifacts["env_file"]; ok {
+		cfg.EnvFile = string(envFileData)
+	}
+
 	// Set default POPSigner endpoints
 	switch cfg.Stack {
 	case StackOPStack:
 		cfg.POPSignerEndpoint = "https://rpc.popsigner.com"
 	case StackNitro:
-		cfg.POPSignerMTLSEndpoint = "https://rpc-mtls.popsigner.com"
+		cfg.POPSignerMTLSEndpoint = "https://rpc-mtls.popsigner.com:8546"
 	}
 
 	return cfg

control-plane/internal/bootstrap/bundle/nitro.go

@@ -61,11 +61,24 @@ func (b *Bundler) createNitroBundle(cfg *BundleConfig) (*BundleResult, error) {
 	}
 	files = append(files, FileEntry{
 		Path:        ".env.example",
-		Description: "Environment variables template (copy to .env and fill in)",
-		Required:    true,
+		Description: "Environment variables template (for reference)",
+		Required:    false,
 		SizeBytes:   int64(len(cfg.EnvExample)),
 	})
 
+	// .env (ready-to-use with actual values)
+	if cfg.EnvFile != "" {
+		if err := tarW.addFile(baseDir+"/.env", []byte(cfg.EnvFile)); err != nil {
+			return nil, fmt.Errorf("add .env: %w", err)
+		}
+		files = append(files, FileEntry{
+			Path:        ".env",
+			Description: "Ready-to-use environment file (pre-configured)",
+			Required:    true,
+			SizeBytes:   int64(len(cfg.EnvFile)),
+		})
+	}
+
 	// ===========================================
 	// CONFIG DIRECTORY
 	// ===========================================

control-plane/internal/bootstrap/bundle/types.go

@@ -111,6 +111,7 @@ type BundleConfig struct {
 	// Generated files (from compose generator)
 	DockerCompose string
 	EnvExample    string
+	EnvFile       string // Ready-to-use .env file with actual values
 }
 
 // BundleResult contains the generated bundle and metadata.

control-plane/internal/bootstrap/nitro/config.go

@@ -83,6 +83,12 @@ func (g *ArtifactGenerator) GenerateArtifacts(
 		return err
 	}
 
+	// 6b. Generate ready-to-use .env file
+	envFile := GenerateEnv(config, result)
+	if err := g.saveTextArtifact(ctx, deploymentID, "env_file", envFile); err != nil {
+		return err
+	}
+
 	// 7. Generate README.md
 	readme := GenerateReadme(config, result)
 	if err := g.saveTextArtifact(ctx, deploymentID, "readme", readme); err != nil {
@@ -255,7 +261,7 @@ func buildChainConfig(config *DeployConfig) map[string]interface{} {
 			//   true  = AnyTrust DAC mode
 			// For Celestia, we use external-provider flags with DAC=false
 			"DataAvailabilityCommittee": config.DataAvailability == "anytrust",
-			"InitialArbOSVersion":       20,
+			"InitialArbOSVersion":       51, // ArbOS 51 - Nitro consensus-v51
 			"InitialChainOwner":         config.Owner,
 			"GenesisBlockNum":           0,
 		},
@@ -614,6 +620,13 @@ services:
       - POPSIGNER_API_KEY=${POPSIGNER_CELESTIA_API_KEY}
       # Parent chain RPC for Blobstream validation (fraud proofs)
       - ETH_RPC_URL=${L1_RPC_URL}
+    # Healthcheck ensures celestia-das-server is ready before nitro-sequencer starts
+    healthcheck:
+      test: ["CMD", "wget", "-q", "--spider", "http://localhost:9876/health"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+      start_period: 10s
     networks:
       - nitro-network
 
@@ -635,7 +648,7 @@ services:
     restart: unless-stopped
     depends_on:
       celestia-das-server:
-        condition: service_started
+        condition: service_healthy  # Wait for healthcheck to pass, not just container start
     ports:
       - "8547:8547" # HTTP RPC
       - "8548:8548" # WebSocket RPC
@@ -651,6 +664,9 @@ services:
       - L1_RPC_URL=${L1_RPC_URL} # Can be HTTP or WSS (e.g., wss://sepolia.infura.io/ws/v3/KEY)
       - L1_BEACON_URL=${L1_BEACON_URL} # Beacon Chain API (HTTP)
       - POPSIGNER_MTLS_URL=${POPSIGNER_MTLS_URL}
+      # External signer addresses (managed by PopSigner)
+      - BATCH_POSTER_ADDRESS=${BATCH_POSTER_ADDRESS}
+      - STAKER_ADDRESS=${STAKER_ADDRESS}
     command:
       # -------------------------------------------------------------------------
       # Core Chain Configuration
@@ -699,18 +715,27 @@ services:
       # -------------------------------------------------------------------------
       - --node.batch-poster.enable=true
       - --node.batch-poster.data-poster.external-signer.url=${POPSIGNER_MTLS_URL}
+      - --node.batch-poster.data-poster.external-signer.address=${BATCH_POSTER_ADDRESS}
       - --node.batch-poster.data-poster.external-signer.method=eth_signTransaction
       - --node.batch-poster.data-poster.external-signer.client-cert=/certs/client.crt
       - --node.batch-poster.data-poster.external-signer.client-private-key=/certs/client.key
+      - --node.batch-poster.data-poster.external-signer.root-ca=/certs/ca.crt
       # -------------------------------------------------------------------------
-      # Staker/Validator Configuration (uses PopSigner for L1 tx signing)
+      # Staker/Validator Configuration (BOLD Protocol)
+      # IMPORTANT: BOLD requires WETH (not native ETH) for staking!
+      # Before starting, ensure your STAKER_ADDRESS has:
+      #   1. WETH tokens (wrap ETH via WETH.deposit())
+      #   2. Approved ChallengeManager to spend WETH
+      # Stake amount: ~0.1 ETH equivalent per assertion level
       # -------------------------------------------------------------------------
       - --node.staker.enable=true
       - --node.staker.strategy=MakeNodes
       - --node.staker.data-poster.external-signer.url=${POPSIGNER_MTLS_URL}
+      - --node.staker.data-poster.external-signer.address=${STAKER_ADDRESS}
       - --node.staker.data-poster.external-signer.method=eth_signTransaction
       - --node.staker.data-poster.external-signer.client-cert=/certs/client.crt
       - --node.staker.data-poster.external-signer.client-private-key=/certs/client.key
+      - --node.staker.data-poster.external-signer.root-ca=/certs/ca.crt
       # -------------------------------------------------------------------------
       # Feed Output (for full nodes to subscribe)
       # -------------------------------------------------------------------------
@@ -908,6 +933,24 @@ func GenerateEnvExample(config *DeployConfig, result *DeployResult) string {
 		rpcExample = "wss://mainnet.infura.io/ws/v3/YOUR_KEY"
 	}
 
+	// Get the batch poster address from config.BatchPosters
+	batchPosterAddress := ""
+	if len(config.BatchPosters) > 0 {
+		batchPosterAddress = config.BatchPosters[0]
+	}
+	if batchPosterAddress == "" {
+		batchPosterAddress = "REPLACE_WITH_YOUR_BATCH_POSTER_ADDRESS"
+	}
+
+	// Get staker address from config.Validators (NOT same as batch poster!)
+	stakerAddress := ""
+	if len(config.Validators) > 0 {
+		stakerAddress = config.Validators[0]
+	}
+	if stakerAddress == "" {
+		stakerAddress = "REPLACE_WITH_YOUR_STAKER_ADDRESS"
+	}
+
 	return fmt.Sprintf(`# =============================================================================
 # %s Nitro + Celestia DA Environment Configuration
 # Chain ID: %d | Parent Chain: %s (%d)
@@ -938,13 +981,26 @@ L1_BEACON_URL=%s
 # =============================================================================
 
 # PopSigner mTLS endpoint for transaction signing
-POPSIGNER_MTLS_URL=https://rpc-mtls.popsigner.com
+POPSIGNER_MTLS_URL=https://rpc-mtls.popsigner.com:8546
 
 # Note: mTLS certificates are included in ./certs/
 #   - ./certs/client.crt  (auto-generated during deployment)
 #   - ./certs/client.key  (auto-generated during deployment)
 #   - ./certs/ca.crt      (CA certificate for verification)
 
+# =============================================================================
+# EXTERNAL SIGNER ADDRESSES
+# These are the Ethereum addresses that PopSigner will sign transactions for
+# =============================================================================
+
+# Batch Poster Address - the address used to submit batches to L1
+# This should be the address associated with your PopSigner key
+BATCH_POSTER_ADDRESS=%s
+
+# Staker Address - the address used for staking/validation (if staker enabled)
+# Can be same as batch poster or a different address
+STAKER_ADDRESS=%s
+
 # =============================================================================
 # POPSIGNER FOR CELESTIA - Blob Submission Signing
 # Used for signing Celestia blob transactions (SEPARATE from L1 signer!)
@@ -981,7 +1037,106 @@ NITRO_DAS_IMAGE=ghcr.io/celestiaorg/nitro-das-celestia:v0.7.0
 `, config.ChainName, config.ChainID, parentChainName, config.ParentChainID,
 		parentChainName,
 		strings.ToLower(parentChainName), strings.ToLower(parentChainName), strings.ToLower(parentChainName),
-		rpcExample, beaconURL, beaconURL, parentChainName)
+		rpcExample, beaconURL, beaconURL, parentChainName,
+		batchPosterAddress, stakerAddress)
+}
+
+// GenerateEnv creates a ready-to-use .env file with actual values.
+// This removes the need for users to manually copy/edit .env.example.
+func GenerateEnv(config *DeployConfig, result *DeployResult) string {
+	// Determine parent chain name and beacon URL
+	parentChainName := "Sepolia"
+	beaconURL := "https://ethereum-sepolia-beacon-api.publicnode.com"
+	if config.ParentChainID == 1 {
+		parentChainName = "Mainnet"
+		beaconURL = "https://ethereum-mainnet-beacon-api.publicnode.com"
+	}
+
+	// Use actual RPC URL from config, or default to public endpoint
+	rpcURL := config.ParentChainRpc
+	if rpcURL == "" {
+		if config.ParentChainID == 1 {
+			rpcURL = "https://ethereum-rpc.publicnode.com"
+		} else {
+			rpcURL = "https://ethereum-sepolia-rpc.publicnode.com"
+		}
+	}
+
+	// Get the batch poster address from config.BatchPosters
+	batchPosterAddress := ""
+	if len(config.BatchPosters) > 0 {
+		batchPosterAddress = config.BatchPosters[0]
+	}
+	if batchPosterAddress == "" {
+		batchPosterAddress = "REPLACE_WITH_YOUR_BATCH_POSTER_ADDRESS"
+	}
+
+	// Get staker address from config.Validators (NOT same as batch poster!)
+	stakerAddress := ""
+	if len(config.Validators) > 0 {
+		stakerAddress = config.Validators[0]
+	}
+	if stakerAddress == "" {
+		stakerAddress = "REPLACE_WITH_YOUR_STAKER_ADDRESS"
+	}
+
+	// Celestia config - these would come from the deployment config if set
+	celestiaAPIKey := "REPLACE_WITH_YOUR_CELESTIA_API_KEY"
+	celestiaKeyID := "REPLACE_WITH_YOUR_CELESTIA_KEY_ID"
+
+	return fmt.Sprintf(`# =============================================================================
+# %s Nitro + Celestia DA Environment Configuration
+# Chain ID: %d | Parent Chain: %s (%d)
+# Generated by PopSigner - Ready to use!
+# =============================================================================
+
+# =============================================================================
+# PARENT CHAIN (%s) - L1 CONNECTIONS
+# =============================================================================
+
+# Main L1 RPC endpoint (configured during deployment)
+L1_RPC_URL=%s
+
+# Beacon Chain API for EIP-4844 blob data
+L1_BEACON_URL=%s
+
+# =============================================================================
+# POPSIGNER FOR L1 (%s) - Batch Poster & Validator Signing
+# =============================================================================
+
+# PopSigner mTLS endpoint for transaction signing
+POPSIGNER_MTLS_URL=https://rpc-mtls.popsigner.com:8546
+
+# =============================================================================
+# EXTERNAL SIGNER ADDRESSES (configured during deployment)
+# =============================================================================
+
+# Batch Poster Address - the address used to submit batches to L1
+BATCH_POSTER_ADDRESS=%s
+
+# Staker Address - the address used for staking/validation
+STAKER_ADDRESS=%s
+
+# =============================================================================
+# POPSIGNER FOR CELESTIA - Blob Submission Signing
+# =============================================================================
+
+# PopSigner API key for Celestia (get from PopSigner dashboard)
+POPSIGNER_CELESTIA_API_KEY=%s
+
+# PopSigner Key ID for your Celestia signing key
+POPSIGNER_CELESTIA_KEY_ID=%s
+
+# =============================================================================
+# NITRO IMAGE
+# =============================================================================
+
+NITRO_IMAGE=nitro-node-dev:latest
+NITRO_DAS_IMAGE=ghcr.io/celestiaorg/nitro-das-celestia:v0.7.0
+`, config.ChainName, config.ChainID, parentChainName, config.ParentChainID,
+		parentChainName, rpcURL, beaconURL, parentChainName,
+		batchPosterAddress, stakerAddress,
+		celestiaAPIKey, celestiaKeyID)
 }
 
 // ============================================================================