Add TMKMS stack

README.md

@@ -0,0 +1 @@
+# tmkms-stack

stack-orchestrator/compose/docker-compose-tmkms.yml

@@ -0,0 +1,18 @@
+services:
+  tmkms:
+    restart: unless-stopped
+    image: cerc/tmkms:local
+    command: ["bash", "-c", "/opt/run.sh"]
+    environment:
+      CERC_CHAIN_ID: ${CERC_CHAIN_ID:-laconic-mainnet}
+      NODE_IP: ${NODE_IP}
+      NODE_PORT: ${NODE_PORT:-26659}
+      CERC_KEY_PREFIX: ${CERC_KEY_PREFIX:-laconic}
+    volumes:
+      - tmkms-data:/home/tmkmsuser/tmkms
+      - ../config/tmkms/run.sh:/opt/run.sh
+    extra_hosts:
+    - "host.docker.internal:host-gateway"
+
+volumes:
+  tmkms-data:

stack-orchestrator/config/tmkms/run.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+
+if [[ -n "$CERC_SCRIPT_DEBUG" ]]; then
+  set -x
+fi
+
+set -e
+
+TMKMS_HOME=/home/tmkmsuser/tmkms
+INPUT_PRIV_KEY_FILE=$TMKMS_HOME/tmp/priv_validator_key.json
+TMKMS_SECRETS_DIR=$TMKMS_HOME/secrets
+TMKMS_STATE_DIR=$TMKMS_HOME/state
+
+echo "Initializing tmkms configuration..."
+
+# Initialize tmkms config
+tmkms init $TMKMS_HOME
+
+# Generate a new softsign key
+echo "Generating new softsign key..."
+tmkms softsign keygen $TMKMS_SECRETS_DIR/kms-identity.key
+
+# Update tmkms.toml
+echo "Updating tmkms.toml with chain_id, node IP, and key prefixes..."
+
+# Add chain configuration
+cat <<EOF > $TMKMS_HOME/tmkms.toml
+
+[[chain]]
+id = "$CERC_CHAIN_ID"
+key_format = { type = "cosmos-json", account_key_prefix = "${CERC_KEY_PREFIX}pub", consensus_key_prefix = "${CERC_KEY_PREFIX}valconspub" }
+state_file = "$TMKMS_STATE_DIR/priv_validator_state.json"
+
+[[validator]]
+chain_id = "$CERC_CHAIN_ID"
+addr = "tcp://$NODE_IP:$NODE_PORT"
+secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key"
+protocol_version = "v0.34"
+reconnect = true
+
+[[providers.softsign]]
+key_type = "consensus"
+path = "$TMKMS_SECRETS_DIR/priv_validator_key"
+chain_ids = ["$CERC_CHAIN_ID"]
+EOF
+
+# Place validator key in secrets directory
+cp $INPUT_PRIV_KEY_FILE $TMKMS_SECRETS_DIR/priv_validator_key.json
+
+# Import the private validator key into tmkms
+echo "Importing private validator key into tmkms..."
+tmkms softsign import $TMKMS_SECRETS_DIR/priv_validator_key.json $TMKMS_SECRETS_DIR/priv_validator_key
+
+# Remove the JSON key file
+rm $TMKMS_SECRETS_DIR/priv_validator_key.json
+
+echo "Starting tmkms..."
+tmkms start --config $TMKMS_HOME/tmkms.toml

stack-orchestrator/container-build/cerc-tmkms/Dockerfile

@@ -0,0 +1,56 @@
+# -------- Stage 1: Build --------
+FROM debian:bookworm-slim AS builder
+
+ARG BACKEND=softsign
+ARG VERSION=main
+
+# Install build dependencies
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+    build-essential \
+    clang \
+    curl \
+    git \
+    pkg-config \
+    libsodium-dev \
+    libssl-dev \
+    ca-certificates && \
+    apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Create non-root user
+RUN useradd -m builder
+USER builder
+WORKDIR /home/builder
+
+ENV PATH="/home/builder/.cargo/bin:$PATH"
+
+# Install Rust
+RUN curl https://sh.rustup.rs -sSf | sh -s -- -y && \
+    rustup component add rustfmt clippy
+
+# Clone and build TMKMS
+RUN git clone --depth 1 --branch ${VERSION} https://github.com/iqlusioninc/tmkms.git && \
+    cd tmkms && \
+    cargo build --release --features=${BACKEND}
+
+# -------- Stage 2: Runtime --------
+FROM debian:bookworm-slim
+
+# Install runtime dependencies only
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+    libssl3 \
+    libsodium23 \
+    ca-certificates && \
+    apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Copy compiled binary
+COPY --from=builder /home/builder/tmkms/target/release/tmkms /usr/local/bin/tmkms
+
+# Create runtime user
+RUN useradd -m tmkmsuser
+USER tmkmsuser
+WORKDIR /home/tmkmsuser
+
+# Default command, override with `docker run ... bash` etc.
+CMD ["tmkms"]

stack-orchestrator/container-build/cerc-tmkms/build.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+# Build cerc/tmkms
+source ${CERC_CONTAINER_BASE_DIR}/build-base.sh
+
+# See: https://stackoverflow.com/a/246128/1701505
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+# TODO: Use BACKEND=yubihsm build command arg
+docker build -t cerc/tmkms:local  ${build_command_args} -f ${SCRIPT_DIR}/Dockerfile ${CERC_REPO_BASE_DIR}/tmkms

stack-orchestrator/stacks/tmkms/stack.yml

@@ -0,0 +1,9 @@
+version: "1.0"
+name: tmkms
+description: "TMKMS for signing consensus messages"
+repos:
+  - github.com/iqlusioninc/tmkms@v0.14.0
+containers:
+  - cerc/tmkms
+pods:
+  - tmkms