erigon: module: better secret management

author: happysalada <raphael@megzari.com> 2022-11-12 13:01:24 -0500
committer: Yt <happysalada@proton.me> 2022-11-12 14:29:43 -0500
commit: e2bb1e774b5f458de166169d2f6cede6aff9d289 (patch)
tree: 8f80bb13832917f080494c75a9cb01e88becd9aa
parent: bcb450ce97b68ea5785fec28b9237430566ae521 (diff)
2 files changed, 11 insertions, 46 deletions
diff --git a/nixos/modules/services/blockchain/ethereum/erigon.nix b/nixos/modules/services/blockchain/ethereum/erigon.nix
index 892262d246b7c..9ff7df0b15e56 100644
--- a/nixos/modules/services/blockchain/ethereum/erigon.nix
+++ b/nixos/modules/services/blockchain/ethereum/erigon.nix
@@ -13,13 +13,13 @@ in {
     services.erigon = {
       enable = mkEnableOption (lib.mdDoc "Ethereum implementation on the efficiency frontier");
 
-      group = mkOption {
-        type = types.str;
-        default = "ethereum";
+      secretJwtPath = mkOption {
+        type = types.path;
         description = lib.mdDoc ''
-          Group of the user running the lighthouse process. This is used to share the jwt
-          secret with the execution layer.
+          Path to the secret jwt used for the http api authentication.
         '';
+        default = "";
+        example = "config.age.secrets.ERIGON_JWT.path";
       };
 
       settings = mkOption {
@@ -64,19 +64,6 @@ in {
   };
 
   config = mkIf cfg.enable {
-    users = {
-      users.erigon = {
-        name = "erigon";
-        group = cfg.group;
-        description = "Erigon user";
-        home = "/var/lib/erigon";
-        isSystemUser = true;
-      };
-      groups = mkIf (cfg.group == "ethereum") {
-        ethereum = {};
-      };
-    };
-
     # Default values are the same as in the binary, they are just written here for convenience.
     services.erigon.settings = {
       datadir = mkDefault "/var/lib/erigon";
@@ -98,9 +85,9 @@ in {
       after = [ "network.target" ];
 
       serviceConfig = {
-        ExecStart = "${pkgs.erigon}/bin/erigon --config ${configFile}";
-        User = "erigon";
-        Group = cfg.group;
+        LoadCredential = "ERIGON_JWT:${cfg.secretJwtPath}";
+        ExecStart = "${pkgs.erigon}/bin/erigon --config ${configFile} --authrpc.jwtsecret=%d/ERIGON_JWT";
+        DynamicUser = true;
         Restart = "on-failure";
         StateDirectory = "erigon";
         CapabilityBoundingSet = "";
diff --git a/nixos/modules/services/blockchain/ethereum/lighthouse.nix b/nixos/modules/services/blockchain/ethereum/lighthouse.nix
index 6002b16785a75..db72c62d33044 100644
--- a/nixos/modules/services/blockchain/ethereum/lighthouse.nix
+++ b/nixos/modules/services/blockchain/ethereum/lighthouse.nix
@@ -57,15 +57,6 @@ in {
               '';
             };
 
-            group = mkOption {
-              type = types.str;
-              default = "ethereum";
-              description = lib.mdDoc ''
-                Group of the user running the lighthouse process. This is used to share the jwt
-                secret with the execution layer.
-              '';
-            };
-
             execution = {
               address = mkOption {
                 type = types.str;
@@ -221,19 +212,6 @@ in {
 
   config = mkIf (cfg.beacon.enable || cfg.validator.enable) {
 
-    users = {
-      users.lighthouse-beacon = {
-        name = "lighthouse-beacon";
-        group = cfg.beacon.group;
-        description = "Lighthouse beacon node user";
-        home = "${cfg.beacon.dataDir}";
-        isSystemUser = true;
-      };
-      groups = mkIf (cfg.beacon.group == "ethereum") {
-        ethereum = {};
-      };
-    };
-
     environment.systemPackages = [ pkgs.lighthouse ] ;
 
     networking.firewall = mkIf cfg.beacon.enable {
@@ -259,14 +237,14 @@ in {
           --network ${cfg.network} \
           --datadir ${cfg.beacon.dataDir}/${cfg.network} \
           --execution-endpoint http://${cfg.beacon.execution.address}:${toString cfg.beacon.execution.port} \
-          --execution-jwt ${cfg.beacon.execution.jwtPath} \
+          --execution-jwt ''${CREDENTIALS_DIRECTORY}/LIGHTHOUSE_JWT \
           ${lib.optionalString cfg.beacon.http.enable '' --http --http-address ${cfg.beacon.http.address} --http-port ${toString cfg.beacon.http.port}''} \
           ${lib.optionalString cfg.beacon.metrics.enable '' --metrics --metrics-address ${cfg.beacon.metrics.address} --metrics-port ${toString cfg.beacon.metrics.port}''} \
           ${cfg.extraArgs} ${cfg.beacon.extraArgs}
       '';
       serviceConfig = {
-        User = "lighthouse-beacon";
-        Group = cfg.beacon.group;
+        LoadCredential = "LIGHTHOUSE_JWT:${cfg.beacon.execution.jwtPath}";
+        DynamicUser = true;
         Restart = "on-failure";
         StateDirectory = "lighthouse-beacon";
         NoNewPrivileges = true;
author	happysalada <raphael@megzari.com>	2022-11-12 13:01:24 -0500
committer	Yt <happysalada@proton.me>	2022-11-12 14:29:43 -0500
commit	e2bb1e774b5f458de166169d2f6cede6aff9d289 (patch)
tree	8f80bb13832917f080494c75a9cb01e88becd9aa
parent	bcb450ce97b68ea5785fec28b9237430566ae521 (diff)