7a17ffd12e
Open-source 2-of-3 policy-enforced threshold HSM: auto-signs cold→hot treasury refills under on-device Coldcard policy, no human in the loop. Includes the full operator manual + quick-start, the reference coordinator/signing code, and a signer-host bootstrap. No keys, seeds, or secrets — placeholders only. Live signet demo: https://multisighsm.mineracks.com Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1.5 KiB
1.5 KiB
Signer-host bootstrap (Ansible)
A starting-point playbook for provisioning the three signer hosts — the small machines (NUC / Pi /
mini-PC) that each have a USB-attached Coldcard and run a thin signer agent over ckcc-protocol.
This bootstraps the host, not the device: it installs the prerequisites, joins the private network, and lays down a signer-agent service unit. It never touches keys or seeds — those are created on the Coldcard itself, by you. Treat this as a skeleton to adapt to your environment (it is intentionally minimal and not opinionated about your network).
What it does
- Installs Python +
ckcc-protocol(the Coldcard CLI/library) and USB access for the device. - Joins the host to your private mesh (Tailscale shown as an example — swap for your VPN/WG).
- Installs a
signer-agentsystemd unit (placeholder ExecStart — point it at your agent).
What it deliberately does NOT do
- It does not generate, copy, or read any seed or key.
- It does not configure the on-device HSM policy (that is loaded onto the Coldcard directly — see
../docs/OPERATOR-MANUAL.md§5, and mind the policy-vs-wallet ordering trap).
Usage
# inventory.ini: one host per signer, in independent failure domains (≥1 offsite)
ansible-playbook -i inventory.ini signer-host.yml
Failure-domain placement is the make-or-break decision — read §3 of the Operator Manual before you place signers. Never co-locate two signers behind a shared PSU / switch / host / hypervisor.