Add script to setup yubihsm

stack-orchestrator/config/tmkms/run.sh

@@ -24,28 +24,7 @@ fi
 case "$TMKMS_MODE" in
   "yubihsm")
     # Add chain configuration for yubihsm
-    # TODO: Take password from env var
+    # TODO: Allow users to edit config toml
-    cat <<EOF > $TMKMS_HOME/tmkms.toml
-
-    [[chain]]
-    id = "$CHAIN_ID"
-    key_format = { type = "cosmos-json", account_key_prefix = "${KEY_PREFIX}pub", consensus_key_prefix = "${KEY_PREFIX}valconspub" }
-    state_file = "$TMKMS_STATE_DIR/priv_validator_state.json"
-
-    [[validator]]
-    chain_id = "$CHAIN_ID"
-    addr = "tcp://$NODE_IP:$NODE_PORT"
-    secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key"
-    protocol_version = "v0.34"
-    reconnect = true
-
-    [[providers.yubihsm]]
-    adapter = { type = "usb" }
-    auth = { key = 1, password = "password" }
-EOF
-
-    # Setup YubiHSM
-    tmkms yubihsm setup -c $TMKMS_HOME/tmkms.toml
 
     # Import the private validator key into tmkms for yubihsm (only if not already present)
     if ! tmkms yubihsm keys list | grep -q "0x0001:"; then

stack-orchestrator/config/tmkms/setup-yubihsm.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+if [[ -n "$CERC_SCRIPT_DEBUG" ]]; then
+  set -x
+fi
+
+set -e
+
+TMKMS_HOME=/home/tmkmsuser/tmkms
+TMKMS_SECRETS_DIR=$TMKMS_HOME/secrets
+TMKMS_STATE_DIR=$TMKMS_HOME/state
+
+tmkms init $TMKMS_HOME
+
+cat <<EOF > $TMKMS_HOME/tmkms.toml
+  [[chain]]
+  id = "$CHAIN_ID"
+  key_format = { type = "cosmos-json", account_key_prefix = "${KEY_PREFIX}pub", consensus_key_prefix = "${KEY_PREFIX}valconspub" }
+  state_file = "$TMKMS_STATE_DIR/priv_validator_state.json"
+
+  [[validator]]
+  chain_id = "$CHAIN_ID"
+  addr = "tcp://$NODE_IP:$NODE_PORT"
+  secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key"
+  protocol_version = "v0.34"
+  reconnect = true
+
+  [[providers.yubihsm]]
+  adapter = { type = "usb" }
+  auth = { key = 1, password = "$PASSWORD" }
+EOF
+
+tmkms yubihsm setup -c $TMKMS_HOME/tmkms.toml