colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

erigon: module: better secret management

Browse Source
This commit is contained in:
happysalada 2022-11-12 13:01:24 -05:00 committed by Yt
parent bcb450ce97
commit e2bb1e774b
2 changed files with 11 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
nixos/modules/services/blockchain/ethereum/erigon.nix
View File

@ -13,13 +13,13 @@ in {
services.erigon = {
enable = mkEnableOption (lib.mdDoc "Ethereum implementation on the efficiency frontier");
group = mkOption {
type = types.str;
default = "ethereum";
secretJwtPath = mkOption {
type = types.path;
description = lib.mdDoc ''
Group of the user running the lighthouse process. This is used to share the jwt
secret with the execution layer.
Path to the secret jwt used for the http api authentication.
'';
default = "";
example = "config.age.secrets.ERIGON_JWT.path";
};
settings = mkOption {
@ -64,19 +64,6 @@ in {
};
config = mkIf cfg.enable {
users = {
users.erigon = {
name = "erigon";
group = cfg.group;
description = "Erigon user";
home = "/var/lib/erigon";
isSystemUser = true;
};
groups = mkIf (cfg.group == "ethereum") {
ethereum = {};
};
};
# Default values are the same as in the binary, they are just written here for convenience.
services.erigon.settings = {
datadir = mkDefault "/var/lib/erigon";
@ -98,9 +85,9 @@ in {
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${pkgs.erigon}/bin/erigon --config ${configFile}";
User = "erigon";
Group = cfg.group;
LoadCredential = "ERIGON_JWT:${cfg.secretJwtPath}";
ExecStart = "${pkgs.erigon}/bin/erigon --config ${configFile} --authrpc.jwtsecret=%d/ERIGON_JWT";
DynamicUser = true;
Restart = "on-failure";
StateDirectory = "erigon";
CapabilityBoundingSet = "";

28
nixos/modules/services/blockchain/ethereum/lighthouse.nix
View File

@ -57,15 +57,6 @@ in {
'';
};
group = mkOption {
type = types.str;
default = "ethereum";
description = lib.mdDoc ''
Group of the user running the lighthouse process. This is used to share the jwt
secret with the execution layer.
'';
};
execution = {
address = mkOption {
type = types.str;
@ -221,19 +212,6 @@ in {
config = mkIf (cfg.beacon.enable || cfg.validator.enable) {
users = {
users.lighthouse-beacon = {
name = "lighthouse-beacon";
group = cfg.beacon.group;
description = "Lighthouse beacon node user";
home = "${cfg.beacon.dataDir}";
isSystemUser = true;
};
groups = mkIf (cfg.beacon.group == "ethereum") {
ethereum = {};
};
};
environment.systemPackages = [ pkgs.lighthouse ] ;
networking.firewall = mkIf cfg.beacon.enable {
@ -259,14 +237,14 @@ in {
--network ${cfg.network} \
--datadir ${cfg.beacon.dataDir}/${cfg.network} \
--execution-endpoint http://${cfg.beacon.execution.address}:${toString cfg.beacon.execution.port} \
--execution-jwt ${cfg.beacon.execution.jwtPath} \
--execution-jwt ''${CREDENTIALS_DIRECTORY}/LIGHTHOUSE_JWT \
${lib.optionalString cfg.beacon.http.enable '' --http --http-address ${cfg.beacon.http.address} --http-port ${toString cfg.beacon.http.port}''} \
${lib.optionalString cfg.beacon.metrics.enable '' --metrics --metrics-address ${cfg.beacon.metrics.address} --metrics-port ${toString cfg.beacon.metrics.port}''} \
${cfg.extraArgs} ${cfg.beacon.extraArgs}
'';
serviceConfig = {
User = "lighthouse-beacon";
Group = cfg.beacon.group;
LoadCredential = "LIGHTHOUSE_JWT:${cfg.beacon.execution.jwtPath}";
DynamicUser = true;
Restart = "on-failure";
StateDirectory = "lighthouse-beacon";
NoNewPrivileges = true;