Add steps to configure tmkms in first validator node

2025-05-19 17:13:45 +05:30 · 2025-05-19 17:13:45 +05:30 · 58b2ac2aa5
commit 58b2ac2aa5
parent 3d7ba45796
8 changed files with 108 additions and 8 deletions
--- a/docs/run-first-validator.md
+++ b/docs/run-first-validator.md
@ -72,7 +72,7 @@
  ls -l output
  ```

-## Run node
+## Setup node

 - Copy the example variables file if not already done:

@ -111,10 +111,87 @@
  export MAINNET_DEPLOYMENT_DIR=
  ```

- Run ansible playbook to submit the gentx and run the node:
+- Run ansible playbook to submit gentx and setup the node:

  ```bash
-  ansible-playbook -i localhost, -c local ~/cerc/laconicd-stack/playbooks/first-validator/run-first-validator.yml
+  ansible-playbook -i localhost, -c local ~/cerc/laconicd-stack/playbooks/first-validator/setup-first-validator.yml
+  ```
+
+### Setup TMKMS (Optional but Recommended)
+
+<!-- Reference: https://docs.osmosis.zone/osmosis-core/keys/tmkms/#setup-tmkms -->
+
+- For integrating existing TMKMS with laconicd, follow steps below in the machine where TMKMS is setup
+
+- Set `$TMKMS_HOME` to the directory path containing TMKMS config files
+
+  ```bash
+  ls -l $TMKMS_HOME
+  drwxrwxr-x 2 ... schema
+  drwx------ 2 ... secrets
+  drwxrwxr-x 2 ... state
+  -rw-rw-r-- 1 ... tmkms.toml
+  ```
+
+- Update the TMKMS configuration file (usually located at `$TMKMS_HOME/tmkms.toml`):
+  ```toml
+  [[chain]]
+  id = "laconic-mainnet"
+  key_format = { type = "bech32", account_key_prefix = "laconicpub", consensus_key_prefix = "laconicvalconspub" }
+  # Replace <TMKMS_HOME> with absolute path to tmkms config directory
+  state_file = "<TMKMS_HOME>/state/priv_validator_state.json"
+
+  [[validator]]
+  chain_id = "laconic-mainnet"
+  # Replace <NODE_IP> with actual IP address of the laconicd node
+  addr = "tcp://<NODE_IP>:26659"
+  # Replace <TMKMS_HOME> with absolute path to tmkms config directory
+  secret_key = "<TMKMS_HOME>/secrets/kms-identity.key"
+  protocol_version = "v0.34"
+  reconnect = true
+
+  [[providers.softsign]]
+  key_type = "consensus"
+  # Replace <TMKMS_HOME> with absolute path to tmkms config directory
+  path = "<TMKMS_HOME>/secrets/priv_validator_key"
+  chain_ids = ["laconic-mainnet"]
+  ```
+
+- Copy your validator key to TMKMS:
+
+  - The validator key in laconicd node deployment is present at `$DATA_DIRECTORY/$MAINNET_DEPLOYMENT_DIR/data/laconicd-data/config/priv_validator_key.json`
+
+  - Place the validator key file in TMKMS config directory at `$TMKMS_HOME/secrets/`
+
+  - Import the private validator key into tmkms:
+    
+    ```bash
+    tmkms softsign import $TMKMS_HOME/secrets/priv_validator_key.json $TMKMS_HOME/secrets/priv_validator_key
+    ```
+  
+  - Remove the JSON key file
+    
+    ```bash
+    rm $TMKMS_HOME/secrets/priv_validator_key.json
+    ```
+
+- Start TMKMS:
+  ```bash
+  tmkms start --config $TMKMS_HOME/tmkms.toml
+  ```
+
+- Enable TMKMS in the node configuration:
+  ```bash
+  # Set TMKMS_ENABLED to true in the node's config.env
+  echo "TMKMS_ENABLED=true" >> $DATA_DIRECTORY/$MAINNET_DEPLOYMENT_DIR/config.env
+  ```
+
+## Run node
+
+- Command to run node
+
+  ```bash
+  laconic-so deployment --dir $DATA_DIRECTORY/$MAINNET_DEPLOYMENT_DIR start
  ```

 - Check logs to ensure that node is running:
@ -123,6 +200,14 @@
  laconic-so deployment --dir $DATA_DIRECTORY/$MAINNET_DEPLOYMENT_DIR logs laconicd -f
  ```

+- Remove the validator key from node deployment as it is no longer required
+
+  ```bash
+  rm $DATA_DIRECTORY/$MAINNET_DEPLOYMENT_DIR/data/laconicd-data/config/priv_validator_key.json
+  ```
+
+  NOTE: Store it safely offline in case of an emergency
+
 - Check bonds list to confirm that testnet state was transferred properly:

  ```bash
--- a/playbooks/first-validator/generate-genesis.yml
+++ b/playbooks/first-validator/generate-genesis.yml
@ -9,7 +9,7 @@
      ansible.builtin.shell:
        cmd: "laconic-so --stack ~/cerc/laconicd-stack/stack-orchestrator/stacks/mainnet-laconicd setup-repositories --git-ssh --pull"

-    # TODO: Add a flag to control force rebuild
+    # TODO: Add a playbook flag to control force rebuild
    - name: Build containers
      ansible.builtin.shell:
        cmd: "laconic-so --stack ~/cerc/laconicd-stack/stack-orchestrator/stacks/mainnet-laconicd build-containers --force-rebuild"
--- a/playbooks/first-validator/setup-first-validator.yml
+++ b/playbooks/first-validator/setup-first-validator.yml
@ -92,7 +92,3 @@
          -e "CERC_MONIKER={{ cerc_moniker }}" \
          -e "CERC_CHAIN_ID={{ cerc_chain_id }}" \
          cerc/laconicd:local bash -c "/scripts/create-and-collect-gentx.sh"
-
-    - name: Run validator node
-      shell: |
-        laconic-so deployment --dir {{data_directory}}/{{ mainnet_deployment_dir }} start
--- a/playbooks/first-validator/templates/specs/spec-template.yml.j2
+++ b/playbooks/first-validator/templates/specs/spec-template.yml.j2
@ -2,6 +2,7 @@ network:
  ports:
    laconicd:
      - '6060:6060'
+      - '26659:26659'
      - '26657:26657'
      - '26656:26656'
      - '9473:9473'
--- a/playbooks/validator/templates/specs/spec-template.yml.j2
+++ b/playbooks/validator/templates/specs/spec-template.yml.j2
@ -2,6 +2,7 @@ network:
  ports:
    laconicd:
      - '6060:6060'
+      - '26659:26659'
      - '26657:26657'
      - '26656:26656'
      - '9473:9473'
--- a/stack-orchestrator/compose/docker-compose-mainnet-laconicd.yml
+++ b/stack-orchestrator/compose/docker-compose-mainnet-laconicd.yml
@ -9,12 +9,14 @@ services:
      CERC_PEERS: ${CERC_PEERS}
      MIN_GAS_PRICE: ${MIN_GAS_PRICE:-0.001}
      CERC_LOGLEVEL: ${CERC_LOGLEVEL:-info}
+      TMKMS_ENABLED: ${TMKMS_ENABLED:-false}
    volumes:
      - laconicd-data:/root/.laconicd
      - ../config/mainnet-laconicd/run-laconicd.sh:/opt/run-laconicd.sh
      - ../config/mainnet-laconicd/create-validator.sh:/scripts/create-validator.sh
    ports:
      - "6060"
+      - "26659"
      - "26657"
      - "26656"
      - "9473"
--- a/stack-orchestrator/config/mainnet-laconicd/create-and-collect-gentx.sh
+++ b/stack-orchestrator/config/mainnet-laconicd/create-and-collect-gentx.sh
@ -45,6 +45,9 @@ laconicd config set client chain-id $CHAIN_ID --home $NODE_HOME
 laconicd config set client keyring-backend $KEYRING
 laconicd init $MONIKER --chain-id=$CHAIN_ID --home $NODE_HOME

+# Make config directory accessible without root permissions in docker host
+chmod -R 777 $$NODE_HOME/config
+
 # Copy over provided genesis config
 cp $input_genesis_file $genesis_file_path

--- a/stack-orchestrator/config/mainnet-laconicd/run-laconicd.sh
+++ b/stack-orchestrator/config/mainnet-laconicd/run-laconicd.sh
@ -20,6 +20,7 @@ echo "Chain Id: $CERC_CHAIN_ID"
 echo "Persistent peers: $CERC_PEERS"
 echo "Min gas price: $MIN_GAS_PRICE"
 echo "Log level: $CERC_LOGLEVEL"
+echo "TMKMS enabled: $TMKMS_ENABLED"

 # Set chain id in config
 laconicd config set client chain-id $CERC_CHAIN_ID --home $NODE_HOME
@ -39,6 +40,17 @@ cp $input_genesis_file $NODE_HOME/config/genesis.json
 # Enable cors
 sed -i 's/cors_allowed_origins.*$/cors_allowed_origins = ["*"]/' $NODE_HOME/config/config.toml

+if [[ "${TMKMS_ENABLED,,}" == "true" ]]; then
+  # Configure private validator for external tmkms
+  sed -i "s/^priv_validator_laddr *=.*/priv_validator_laddr = \"tcp:\/\/0.0.0.0:26659\"/" $NODE_HOME/config/config.toml
+
+  # Comment out validator key files when using external TMKMS
+  sed -i 's/^priv_validator_key_file =/# priv_validator_key_file =/' $NODE_HOME/config/config.toml
+  sed -i 's/^priv_validator_state_file =/# priv_validator_state_file =/' $NODE_HOME/config/config.toml
+else
+  echo "Warning: TMKMS disabled, node will run with local validator keys"
+fi
+
 # Update config with persistent peers
 sed -i "s/^persistent_peers *=.*/persistent_peers = \"$CERC_PEERS\"/g" $NODE_HOME/config/config.toml