diff --git a/stack-orchestrator/config/tmkms/run.sh b/stack-orchestrator/config/tmkms/run.sh index 107270f..16faf7a 100755 --- a/stack-orchestrator/config/tmkms/run.sh +++ b/stack-orchestrator/config/tmkms/run.sh @@ -24,28 +24,7 @@ fi case "$TMKMS_MODE" in "yubihsm") # Add chain configuration for yubihsm - # TODO: Take password from env var - cat < $TMKMS_HOME/tmkms.toml - - [[chain]] - id = "$CHAIN_ID" - key_format = { type = "cosmos-json", account_key_prefix = "${KEY_PREFIX}pub", consensus_key_prefix = "${KEY_PREFIX}valconspub" } - state_file = "$TMKMS_STATE_DIR/priv_validator_state.json" - - [[validator]] - chain_id = "$CHAIN_ID" - addr = "tcp://$NODE_IP:$NODE_PORT" - secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key" - protocol_version = "v0.34" - reconnect = true - - [[providers.yubihsm]] - adapter = { type = "usb" } - auth = { key = 1, password = "password" } -EOF - - # Setup YubiHSM - tmkms yubihsm setup -c $TMKMS_HOME/tmkms.toml + # TODO: Allow users to edit config toml # Import the private validator key into tmkms for yubihsm (only if not already present) if ! tmkms yubihsm keys list | grep -q "0x0001:"; then diff --git a/stack-orchestrator/config/tmkms/setup-yubihsm.sh b/stack-orchestrator/config/tmkms/setup-yubihsm.sh new file mode 100755 index 0000000..e600c0f --- /dev/null +++ b/stack-orchestrator/config/tmkms/setup-yubihsm.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +if [[ -n "$CERC_SCRIPT_DEBUG" ]]; then + set -x +fi + +set -e + +TMKMS_HOME=/home/tmkmsuser/tmkms +TMKMS_SECRETS_DIR=$TMKMS_HOME/secrets +TMKMS_STATE_DIR=$TMKMS_HOME/state + +tmkms init $TMKMS_HOME + +cat < $TMKMS_HOME/tmkms.toml + [[chain]] + id = "$CHAIN_ID" + key_format = { type = "cosmos-json", account_key_prefix = "${KEY_PREFIX}pub", consensus_key_prefix = "${KEY_PREFIX}valconspub" } + state_file = "$TMKMS_STATE_DIR/priv_validator_state.json" + + [[validator]] + chain_id = "$CHAIN_ID" + addr = "tcp://$NODE_IP:$NODE_PORT" + secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key" + protocol_version = "v0.34" + reconnect = true + + [[providers.yubihsm]] + adapter = { type = "usb" } + auth = { key = 1, password = "$PASSWORD" } +EOF + +tmkms yubihsm setup -c $TMKMS_HOME/tmkms.toml