mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-20 12:29:02 +02:00
erigon: module: better secret management
This commit is contained in:
parent
bcb450ce97
commit
e2bb1e774b
|
@ -13,13 +13,13 @@ in {
|
|||
services.erigon = {
|
||||
enable = mkEnableOption (lib.mdDoc "Ethereum implementation on the efficiency frontier");
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "ethereum";
|
||||
secretJwtPath = mkOption {
|
||||
type = types.path;
|
||||
description = lib.mdDoc ''
|
||||
Group of the user running the lighthouse process. This is used to share the jwt
|
||||
secret with the execution layer.
|
||||
Path to the secret jwt used for the http api authentication.
|
||||
'';
|
||||
default = "";
|
||||
example = "config.age.secrets.ERIGON_JWT.path";
|
||||
};
|
||||
|
||||
settings = mkOption {
|
||||
|
@ -64,19 +64,6 @@ in {
|
|||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
users = {
|
||||
users.erigon = {
|
||||
name = "erigon";
|
||||
group = cfg.group;
|
||||
description = "Erigon user";
|
||||
home = "/var/lib/erigon";
|
||||
isSystemUser = true;
|
||||
};
|
||||
groups = mkIf (cfg.group == "ethereum") {
|
||||
ethereum = {};
|
||||
};
|
||||
};
|
||||
|
||||
# Default values are the same as in the binary, they are just written here for convenience.
|
||||
services.erigon.settings = {
|
||||
datadir = mkDefault "/var/lib/erigon";
|
||||
|
@ -98,9 +85,9 @@ in {
|
|||
after = [ "network.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.erigon}/bin/erigon --config ${configFile}";
|
||||
User = "erigon";
|
||||
Group = cfg.group;
|
||||
LoadCredential = "ERIGON_JWT:${cfg.secretJwtPath}";
|
||||
ExecStart = "${pkgs.erigon}/bin/erigon --config ${configFile} --authrpc.jwtsecret=%d/ERIGON_JWT";
|
||||
DynamicUser = true;
|
||||
Restart = "on-failure";
|
||||
StateDirectory = "erigon";
|
||||
CapabilityBoundingSet = "";
|
||||
|
|
|
@ -57,15 +57,6 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "ethereum";
|
||||
description = lib.mdDoc ''
|
||||
Group of the user running the lighthouse process. This is used to share the jwt
|
||||
secret with the execution layer.
|
||||
'';
|
||||
};
|
||||
|
||||
execution = {
|
||||
address = mkOption {
|
||||
type = types.str;
|
||||
|
@ -221,19 +212,6 @@ in {
|
|||
|
||||
config = mkIf (cfg.beacon.enable || cfg.validator.enable) {
|
||||
|
||||
users = {
|
||||
users.lighthouse-beacon = {
|
||||
name = "lighthouse-beacon";
|
||||
group = cfg.beacon.group;
|
||||
description = "Lighthouse beacon node user";
|
||||
home = "${cfg.beacon.dataDir}";
|
||||
isSystemUser = true;
|
||||
};
|
||||
groups = mkIf (cfg.beacon.group == "ethereum") {
|
||||
ethereum = {};
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [ pkgs.lighthouse ] ;
|
||||
|
||||
networking.firewall = mkIf cfg.beacon.enable {
|
||||
|
@ -259,14 +237,14 @@ in {
|
|||
--network ${cfg.network} \
|
||||
--datadir ${cfg.beacon.dataDir}/${cfg.network} \
|
||||
--execution-endpoint http://${cfg.beacon.execution.address}:${toString cfg.beacon.execution.port} \
|
||||
--execution-jwt ${cfg.beacon.execution.jwtPath} \
|
||||
--execution-jwt ''${CREDENTIALS_DIRECTORY}/LIGHTHOUSE_JWT \
|
||||
${lib.optionalString cfg.beacon.http.enable '' --http --http-address ${cfg.beacon.http.address} --http-port ${toString cfg.beacon.http.port}''} \
|
||||
${lib.optionalString cfg.beacon.metrics.enable '' --metrics --metrics-address ${cfg.beacon.metrics.address} --metrics-port ${toString cfg.beacon.metrics.port}''} \
|
||||
${cfg.extraArgs} ${cfg.beacon.extraArgs}
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "lighthouse-beacon";
|
||||
Group = cfg.beacon.group;
|
||||
LoadCredential = "LIGHTHOUSE_JWT:${cfg.beacon.execution.jwtPath}";
|
||||
DynamicUser = true;
|
||||
Restart = "on-failure";
|
||||
StateDirectory = "lighthouse-beacon";
|
||||
NoNewPrivileges = true;
|
||||
|
|
Loading…
Reference in a new issue