mineracks/multisig-hsm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
96510e7494
multisig-hsm/ansible/README.md
mineracks 7a17ffd12e Initial public release — multisig HSM reference + recipe book 
Open-source 2-of-3 policy-enforced threshold HSM: auto-signs cold→hot treasury
refills under on-device Coldcard policy, no human in the loop. Includes the full
operator manual + quick-start, the reference coordinator/signing code, and a
signer-host bootstrap. No keys, seeds, or secrets — placeholders only.

Live signet demo: https://multisighsm.mineracks.com

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-26 13:56:51 +10:00

29 lines
1.5 KiB
Markdown
Raw Blame History

# Signer-host bootstrap (Ansible)
A **starting-point** playbook for provisioning the three **signer hosts** — the small machines (NUC / Pi /
mini-PC) that each have a USB-attached Coldcard and run a thin **signer agent** over `ckcc-protocol`.
This bootstraps the *host*, not the device: it installs the prerequisites, joins the private network, and
lays down a signer-agent service unit. **It never touches keys or seeds** — those are created on the Coldcard
itself, by you. Treat this as a skeleton to adapt to your environment (it is intentionally minimal and not
opinionated about your network).
## What it does
- Installs Python + `ckcc-protocol` (the Coldcard CLI/library) and USB access for the device.
- Joins the host to your private mesh (Tailscale shown as an example — swap for your VPN/WG).
- Installs a `signer-agent` systemd unit (placeholder ExecStart — point it at your agent).
## What it deliberately does NOT do
- It does not generate, copy, or read any seed or key.
- It does not configure the on-device HSM policy (that is loaded onto the Coldcard directly — see
[`../docs/OPERATOR-MANUAL.md`](../docs/OPERATOR-MANUAL.md) §5, and mind the policy-vs-wallet ordering trap).
## Usage
```bash
# inventory.ini: one host per signer, in independent failure domains (≥1 offsite)
ansible-playbook -i inventory.ini signer-host.yml
```
> **Failure-domain placement is the make-or-break decision** — read §3 of the Operator Manual before you
> place signers. Never co-locate two signers behind a shared PSU / switch / host / hypervisor.
Reference in New Issue View Git Blame Copy Permalink