From 58b2ac2aa5de50044e8c8562e48017175cb2d835 Mon Sep 17 00:00:00 2001
From: Nabarun <nabarun@deepstacksoft.com>
Date: Mon, 19 May 2025 17:13:45 +0530
Subject: [PATCH] Add steps to configure tmkms in first validator node

---
 docs/run-first-validator.md                   | 91 ++++++++++++++++++-
 .../first-validator/generate-genesis.yml      |  2 +-
 ...alidator.yml => setup-first-validator.yml} |  4 -
 .../templates/specs/spec-template.yml.j2      |  1 +
 .../templates/specs/spec-template.yml.j2      |  1 +
 .../docker-compose-mainnet-laconicd.yml       |  2 +
 .../create-and-collect-gentx.sh               |  3 +
 .../config/mainnet-laconicd/run-laconicd.sh   | 12 +++
 8 files changed, 108 insertions(+), 8 deletions(-)
 rename playbooks/first-validator/{run-first-validator.yml => setup-first-validator.yml} (96%)

diff --git a/docs/run-first-validator.md b/docs/run-first-validator.md
index 9ce040c..d0b9bab 100644
--- a/docs/run-first-validator.md
+++ b/docs/run-first-validator.md
@@ -72,7 +72,7 @@
   ls -l output
   ```
 
-## Run node
+## Setup node
 
 - Copy the example variables file if not already done:
 
@@ -111,10 +111,87 @@
   export MAINNET_DEPLOYMENT_DIR=
   ```
 
-- Run ansible playbook to submit the gentx and run the node:
+- Run ansible playbook to submit gentx and setup the node:
 
   ```bash
-  ansible-playbook -i localhost, -c local ~/cerc/laconicd-stack/playbooks/first-validator/run-first-validator.yml
+  ansible-playbook -i localhost, -c local ~/cerc/laconicd-stack/playbooks/first-validator/setup-first-validator.yml
+  ```
+
+### Setup TMKMS (Optional but Recommended)
+
+<!-- Reference: https://docs.osmosis.zone/osmosis-core/keys/tmkms/#setup-tmkms -->
+
+- For integrating existing TMKMS with laconicd, follow steps below in the machine where TMKMS is setup
+
+- Set `$TMKMS_HOME` to the directory path containing TMKMS config files
+
+  ```bash
+  ls -l $TMKMS_HOME
+  drwxrwxr-x 2 ... schema
+  drwx------ 2 ... secrets
+  drwxrwxr-x 2 ... state
+  -rw-rw-r-- 1 ... tmkms.toml
+  ```
+
+- Update the TMKMS configuration file (usually located at `$TMKMS_HOME/tmkms.toml`):
+  ```toml
+  [[chain]]
+  id = "laconic-mainnet"
+  key_format = { type = "bech32", account_key_prefix = "laconicpub", consensus_key_prefix = "laconicvalconspub" }
+  # Replace <TMKMS_HOME> with absolute path to tmkms config directory
+  state_file = "<TMKMS_HOME>/state/priv_validator_state.json"
+
+  [[validator]]
+  chain_id = "laconic-mainnet"
+  # Replace <NODE_IP> with actual IP address of the laconicd node
+  addr = "tcp://<NODE_IP>:26659"
+  # Replace <TMKMS_HOME> with absolute path to tmkms config directory
+  secret_key = "<TMKMS_HOME>/secrets/kms-identity.key"
+  protocol_version = "v0.34"
+  reconnect = true
+
+  [[providers.softsign]]
+  key_type = "consensus"
+  # Replace <TMKMS_HOME> with absolute path to tmkms config directory
+  path = "<TMKMS_HOME>/secrets/priv_validator_key"
+  chain_ids = ["laconic-mainnet"]
+  ```
+
+- Copy your validator key to TMKMS:
+
+  - The validator key in laconicd node deployment is present at `$DATA_DIRECTORY/$MAINNET_DEPLOYMENT_DIR/data/laconicd-data/config/priv_validator_key.json`
+
+  - Place the validator key file in TMKMS config directory at `$TMKMS_HOME/secrets/`
+
+  - Import the private validator key into tmkms:
+    
+    ```bash
+    tmkms softsign import $TMKMS_HOME/secrets/priv_validator_key.json $TMKMS_HOME/secrets/priv_validator_key
+    ```
+  
+  - Remove the JSON key file
+    
+    ```bash
+    rm $TMKMS_HOME/secrets/priv_validator_key.json
+    ```
+
+- Start TMKMS:
+  ```bash
+  tmkms start --config $TMKMS_HOME/tmkms.toml
+  ```
+
+- Enable TMKMS in the node configuration:
+  ```bash
+  # Set TMKMS_ENABLED to true in the node's config.env
+  echo "TMKMS_ENABLED=true" >> $DATA_DIRECTORY/$MAINNET_DEPLOYMENT_DIR/config.env
+  ```
+
+## Run node
+
+- Command to run node
+
+  ```bash
+  laconic-so deployment --dir $DATA_DIRECTORY/$MAINNET_DEPLOYMENT_DIR start
   ```
 
 - Check logs to ensure that node is running:
@@ -123,6 +200,14 @@
   laconic-so deployment --dir $DATA_DIRECTORY/$MAINNET_DEPLOYMENT_DIR logs laconicd -f
   ```
 
+- Remove the validator key from node deployment as it is no longer required
+
+  ```bash
+  rm $DATA_DIRECTORY/$MAINNET_DEPLOYMENT_DIR/data/laconicd-data/config/priv_validator_key.json
+  ```
+
+  NOTE: Store it safely offline in case of an emergency
+
 - Check bonds list to confirm that testnet state was transferred properly:
 
   ```bash
diff --git a/playbooks/first-validator/generate-genesis.yml b/playbooks/first-validator/generate-genesis.yml
index d809b0e..4409bf3 100644
--- a/playbooks/first-validator/generate-genesis.yml
+++ b/playbooks/first-validator/generate-genesis.yml
@@ -9,7 +9,7 @@
       ansible.builtin.shell:
         cmd: "laconic-so --stack ~/cerc/laconicd-stack/stack-orchestrator/stacks/mainnet-laconicd setup-repositories --git-ssh --pull"
 
-    # TODO: Add a flag to control force rebuild
+    # TODO: Add a playbook flag to control force rebuild
     - name: Build containers
       ansible.builtin.shell:
         cmd: "laconic-so --stack ~/cerc/laconicd-stack/stack-orchestrator/stacks/mainnet-laconicd build-containers --force-rebuild"
diff --git a/playbooks/first-validator/run-first-validator.yml b/playbooks/first-validator/setup-first-validator.yml
similarity index 96%
rename from playbooks/first-validator/run-first-validator.yml
rename to playbooks/first-validator/setup-first-validator.yml
index df87d38..86ce682 100644
--- a/playbooks/first-validator/run-first-validator.yml
+++ b/playbooks/first-validator/setup-first-validator.yml
@@ -92,7 +92,3 @@
           -e "CERC_MONIKER={{ cerc_moniker }}" \
           -e "CERC_CHAIN_ID={{ cerc_chain_id }}" \
           cerc/laconicd:local bash -c "/scripts/create-and-collect-gentx.sh"
-
-    - name: Run validator node
-      shell: |
-        laconic-so deployment --dir {{data_directory}}/{{ mainnet_deployment_dir }} start
diff --git a/playbooks/first-validator/templates/specs/spec-template.yml.j2 b/playbooks/first-validator/templates/specs/spec-template.yml.j2
index 9ae553e..a140929 100644
--- a/playbooks/first-validator/templates/specs/spec-template.yml.j2
+++ b/playbooks/first-validator/templates/specs/spec-template.yml.j2
@@ -2,6 +2,7 @@ network:
   ports:
     laconicd:
       - '6060:6060'
+      - '26659:26659'
       - '26657:26657'
       - '26656:26656'
       - '9473:9473'
diff --git a/playbooks/validator/templates/specs/spec-template.yml.j2 b/playbooks/validator/templates/specs/spec-template.yml.j2
index 9ae553e..a140929 100644
--- a/playbooks/validator/templates/specs/spec-template.yml.j2
+++ b/playbooks/validator/templates/specs/spec-template.yml.j2
@@ -2,6 +2,7 @@ network:
   ports:
     laconicd:
       - '6060:6060'
+      - '26659:26659'
       - '26657:26657'
       - '26656:26656'
       - '9473:9473'
diff --git a/stack-orchestrator/compose/docker-compose-mainnet-laconicd.yml b/stack-orchestrator/compose/docker-compose-mainnet-laconicd.yml
index f0b18c0..e8610e6 100644
--- a/stack-orchestrator/compose/docker-compose-mainnet-laconicd.yml
+++ b/stack-orchestrator/compose/docker-compose-mainnet-laconicd.yml
@@ -9,12 +9,14 @@ services:
       CERC_PEERS: ${CERC_PEERS}
       MIN_GAS_PRICE: ${MIN_GAS_PRICE:-0.001}
       CERC_LOGLEVEL: ${CERC_LOGLEVEL:-info}
+      TMKMS_ENABLED: ${TMKMS_ENABLED:-false}
     volumes:
       - laconicd-data:/root/.laconicd
       - ../config/mainnet-laconicd/run-laconicd.sh:/opt/run-laconicd.sh
       - ../config/mainnet-laconicd/create-validator.sh:/scripts/create-validator.sh
     ports:
       - "6060"
+      - "26659"
       - "26657"
       - "26656"
       - "9473"
diff --git a/stack-orchestrator/config/mainnet-laconicd/create-and-collect-gentx.sh b/stack-orchestrator/config/mainnet-laconicd/create-and-collect-gentx.sh
index d845554..b3939c7 100755
--- a/stack-orchestrator/config/mainnet-laconicd/create-and-collect-gentx.sh
+++ b/stack-orchestrator/config/mainnet-laconicd/create-and-collect-gentx.sh
@@ -45,6 +45,9 @@ laconicd config set client chain-id $CHAIN_ID --home $NODE_HOME
 laconicd config set client keyring-backend $KEYRING
 laconicd init $MONIKER --chain-id=$CHAIN_ID --home $NODE_HOME
 
+# Make config directory accessible without root permissions in docker host
+chmod -R 777 $$NODE_HOME/config
+
 # Copy over provided genesis config
 cp $input_genesis_file $genesis_file_path
 
diff --git a/stack-orchestrator/config/mainnet-laconicd/run-laconicd.sh b/stack-orchestrator/config/mainnet-laconicd/run-laconicd.sh
index 7051bea..de0ab21 100755
--- a/stack-orchestrator/config/mainnet-laconicd/run-laconicd.sh
+++ b/stack-orchestrator/config/mainnet-laconicd/run-laconicd.sh
@@ -20,6 +20,7 @@ echo "Chain Id: $CERC_CHAIN_ID"
 echo "Persistent peers: $CERC_PEERS"
 echo "Min gas price: $MIN_GAS_PRICE"
 echo "Log level: $CERC_LOGLEVEL"
+echo "TMKMS enabled: $TMKMS_ENABLED"
 
 # Set chain id in config
 laconicd config set client chain-id $CERC_CHAIN_ID --home $NODE_HOME
@@ -39,6 +40,17 @@ cp $input_genesis_file $NODE_HOME/config/genesis.json
 # Enable cors
 sed -i 's/cors_allowed_origins.*$/cors_allowed_origins = ["*"]/' $NODE_HOME/config/config.toml
 
+if [[ "${TMKMS_ENABLED,,}" == "true" ]]; then
+  # Configure private validator for external tmkms
+  sed -i "s/^priv_validator_laddr *=.*/priv_validator_laddr = \"tcp:\/\/0.0.0.0:26659\"/" $NODE_HOME/config/config.toml
+
+  # Comment out validator key files when using external TMKMS
+  sed -i 's/^priv_validator_key_file =/# priv_validator_key_file =/' $NODE_HOME/config/config.toml
+  sed -i 's/^priv_validator_state_file =/# priv_validator_state_file =/' $NODE_HOME/config/config.toml
+else
+  echo "Warning: TMKMS disabled, node will run with local validator keys"
+fi
+
 # Update config with persistent peers
 sed -i "s/^persistent_peers *=.*/persistent_peers = \"$CERC_PEERS\"/g" $NODE_HOME/config/config.toml