cerc-io/laconicd-stack
14
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

[WIP] Add support for using yubiHSM with TMKMS #16

Draft
shreerang wants to merge 2 commits from sk-yubihsm into main
pull from: sk-yubihsm
merge into: cerc-io:main
Conversation 0 Commits 2 Files Changed 5 +66 -2
5 changed files with 66 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
docs/run-first-validator.md
View File

@ -92,6 +92,19 @@
- For integrating TMKMS with laconicd, follow steps below in the machine where the TMKMS service is to be setup (machine 4)
- Copy the example variables file:
```bash
cp ~/cerc/laconicd-stack/playbooks/tmkms/tmkms-vars.example.yml ~/cerc/laconicd-stack/playbooks/tmkms/tmkms-vars.yml
```
- Update `~/cerc/laconicd-stack/playbooks/tmkms/tmkms-vars.yml` with required values:
```yaml
# Set the mode of operation for TMKMS (e.g., "softsign", "yubihsm")
tmkms_mode: <tmkms-mode>
```
- Export the data directory and TMKMS deployment directory as environment variables:
```bash
@ -226,6 +239,22 @@
node_port: "26659"
```
- If using `yubihsm` mode, run following command to setup the yubihsm:
**WARNING: THIS PROCESS PERFORMS A FACTORY RESET OF THE YUBIHSM, DELETING ALL EXISTING KEYS AND REPLACING THEM WITH NEW ONES. MAKE SURE YOU HAVE MADE BACKUPS OF IMPORTANT KEYS BEFORE PROCEEDING!!!**
```bash
# Use a strong password for YubiHSM
docker run -it --rm \
-v $DATA_DIRECTORY/tmkms-deployment/data/tmkms-data:/home/tmkmsuser/tmkms \
-v ~/cerc/tmkms-stack/stack-orchestrator/config/tmkms/setup-yubihsm.sh:/scripts/setup-yubihsm.sh \
-e "PASSWORD=<yubihsm-password>" \
-e "CHAIN_ID=laconic-mainnet" \
-e "NODE_IP=<NODE_PUBLIC_IP_ADDRESS>" \
-e "NODE_PORT=26659" \
cerc/tmkms:local bash -c "/scripts/setup-yubihsm.sh"
```
- Run ansible playbook to run the TMKMS:
```bash

29
docs/run-validator.md
View File

@ -104,6 +104,19 @@
- For integrating TMKMS with laconicd, follow steps below in the machine where the TMKMS service is to be setup (machine 4)
- Copy the example variables file:
```bash
cp ~/cerc/laconicd-stack/playbooks/tmkms/tmkms-vars.example.yml ~/cerc/laconicd-stack/playbooks/tmkms/tmkms-vars.yml
```
- Update `~/cerc/laconicd-stack/playbooks/tmkms/tmkms-vars.yml` with required values:
```yaml
# Set the mode of operation for TMKMS (e.g., "softsign", "yubihsm")
tmkms_mode: <tmkms-mode>
```
- Export the data directory as environment variable:
```bash
@ -144,6 +157,22 @@
node_port: "26659"
```
- If using `yubihsm` mode, run following command to setup the yubihsm:
**WARNING: THIS PROCESS PERFORMS A FACTORY RESET OF THE YUBIHSM, DELETING ALL EXISTING KEYS AND REPLACING THEM WITH NEW ONES. MAKE SURE YOU HAVE MADE BACKUPS OF IMPORTANT KEYS BEFORE PROCEEDING!!!**
```bash
# Use a strong password for YubiHSM
docker run -it --rm \
-v $DATA_DIRECTORY/tmkms-deployment/data/tmkms-data:/home/tmkmsuser/tmkms \
-v ~/cerc/tmkms-stack/stack-orchestrator/config/tmkms/setup-yubihsm.sh:/scripts/setup-yubihsm.sh \
-e "PASSWORD=<yubihsm-password>" \
-e "CHAIN_ID=laconic-mainnet" \
-e "NODE_IP=<NODE_PUBLIC_IP_ADDRESS>" \
-e "NODE_PORT=26659" \
cerc/tmkms:local bash -c "/scripts/setup-yubihsm.sh"
```
- Run ansible playbook to run the TMKMS:
```bash

1
playbooks/tmkms/run-tmkms.yml
View File

@ -40,6 +40,7 @@
NODE_IP: "{{ node_ip }}"
NODE_PORT: "{{ node_port }}"
KEY_PREFIX: "{{ key_prefix }}"
TMKMS_MODE: "{{ tmkms_mode }}"
mode: '0777'
- name: Start tmkms deployment

6
playbooks/tmkms/setup-tmkms.yml
View File

@ -1,6 +1,8 @@
---
- name: Setup TMKMS stack
hosts: localhost
vars_files:
- tmkms-vars.yml
vars:
data_directory: "{{ lookup('env', 'DATA_DIRECTORY') }}"
tmkms_deployment_dir: "{{ lookup('env', 'TMKMS_DEPLOYMENT_DIR') | default('tmkms-deployment', true) }}"
@ -16,11 +18,11 @@
- name: Fetch tmkms stack
shell: |
laconic-so fetch-stack git.vdb.to/LaconicNetwork/tmkms-stack --git-ssh --pull
laconic-so fetch-stack git.vdb.to/LaconicNetwork/tmkms-stack@sk-yubihsm --git-ssh --pull
- name: Build tmkms container images
shell: |
laconic-so --stack ~/cerc/tmkms-stack/stack-orchestrator/stacks/tmkms build-containers {{ build_args }}
laconic-so --stack ~/cerc/tmkms-stack/stack-orchestrator/stacks/tmkms build-containers {{ build_args }} --extra-build-args "--build-arg BACKEND={{ tmkms_mode }}"
- name: Create tmkms deployment spec file
shell: |

3
playbooks/tmkms/tmkms-vars.example.yml
View File

@ -14,3 +14,6 @@ key_prefix: "laconic"
# The chain ID for the blockchain network
chain_id: "laconic-mainnet"
# The mode of operation for TMKMS (e.g., "softsign", "yubihsm")
tmkms_mode: "softsign"