2QUIC

Search docs

Find a documentation page

Validator install guide

Step-by-step install of the marketplace TEE on an AWS Nitro-capable host using the validator-cli.

Step 1: Install validator-cli

The CLI lives in the sibling open-source repo staked-quic-connection-provider. Build it from source:

git clone https://github.com/nodexpert-labs/staked-quic-connection-provider.git
cd staked-quic-connection-provider/validator-cli
cargo install --path .
validator-cli --help

The binary surfaces all install / register / rotate / audit operations. Each subcommand prints a step-by-step plan before doing anything that touches AWS or on-chain state.

Step 2: Dry-run the install plan

Always start in --dry-run mode. The CLI runs terraform plan against the deploy module and prints the per-month cost estimate based on your chosen tier and region:

validator-cli install \
  --region us-east-1 \
  --tier standard \
  --allowed-grpc-cidr 0.0.0.0/0 \
  --dry-run

Review the plan. If the resource list or the cost figure surprises you, stop and reach out before re-running without --dry-run.

Step 3: Apply the install

Once you're satisfied with the plan, drop --dry-run:

validator-cli install \
  --region us-east-1 \
  --tier standard \
  --allowed-grpc-cidr 0.0.0.0/0

This provisions the EC2 host, the KMS key (PCR-bound to the enclave's expected measurements), the Nitro Enclave EIF, and the host-proxy systemd unit. The CLI prints the gRPC endpoint URL when it's done. You'll need it for the next step.

Step 4: Provision the identity key into KMS

Load your validator keypair into KMS, encrypted under the PCR-bound key created in Step 3:

validator-cli rotate-identity \
  --keypair-path ~/solana/validator-keypair.json \
  --confirm

After this command exits, you can shred the on-disk keypair file. The marketplace process never reads it again.

Step 5: Register on the marketplace

Publish your validator listing so traders can discover it:

validator-cli register \
  --display-name "my-validator" \
  --endpoint-url https://tee.your-validator.example:443 \
  --payout-wallet <YOUR_PAYOUT_ADDRESS>

(--endpoint-url is your own TEE host-proxy's public address, not a marketplace URL. Substitute your real hostname.)

--payout-wallet is optional: it is the address where your 90% share of every payment lands, and it defaults to your validator identity key. Set a separate cold wallet here if you would rather your earnings accrue away from the identity key. You can change it later with validator-cli set-payout-wallet --payout-wallet <NEW_ADDRESS>, which applies to bookings made from then on (already-booked leases keep paying the wallet that was frozen at booking time).

The CLI signs the registration request with the identity keypair and posts to the marketplace API. The listing is visible on the marketplace browse page within seconds.

Step 6: Verify with the sign-probe

The marketplace runs a 60-second sign-probe against every listed validator (Design Doc §5.4). Confirm yours is green before advertising:

validator-cli stats --window 5m

The probe_uptime_5m field should read 100% within a few minutes. If it stays below 100%, jump to the incident response runbook.

Where to go next