diff options
author | happysalada <raphael@megzari.com> | 2022-11-12 13:01:24 -0500 |
---|---|---|
committer | Yt <happysalada@proton.me> | 2022-11-12 14:29:43 -0500 |
commit | e2bb1e774b5f458de166169d2f6cede6aff9d289 (patch) | |
tree | 8f80bb13832917f080494c75a9cb01e88becd9aa | |
parent | bcb450ce97b68ea5785fec28b9237430566ae521 (diff) |
erigon: module: better secret management
-rw-r--r-- | nixos/modules/services/blockchain/ethereum/erigon.nix | 29 | ||||
-rw-r--r-- | nixos/modules/services/blockchain/ethereum/lighthouse.nix | 28 |
2 files changed, 11 insertions, 46 deletions
diff --git a/nixos/modules/services/blockchain/ethereum/erigon.nix b/nixos/modules/services/blockchain/ethereum/erigon.nix index 892262d246b7c..9ff7df0b15e56 100644 --- a/nixos/modules/services/blockchain/ethereum/erigon.nix +++ b/nixos/modules/services/blockchain/ethereum/erigon.nix @@ -13,13 +13,13 @@ in { services.erigon = { enable = mkEnableOption (lib.mdDoc "Ethereum implementation on the efficiency frontier"); - group = mkOption { - type = types.str; - default = "ethereum"; + secretJwtPath = mkOption { + type = types.path; description = lib.mdDoc '' - Group of the user running the lighthouse process. This is used to share the jwt - secret with the execution layer. + Path to the secret jwt used for the http api authentication. ''; + default = ""; + example = "config.age.secrets.ERIGON_JWT.path"; }; settings = mkOption { @@ -64,19 +64,6 @@ in { }; config = mkIf cfg.enable { - users = { - users.erigon = { - name = "erigon"; - group = cfg.group; - description = "Erigon user"; - home = "/var/lib/erigon"; - isSystemUser = true; - }; - groups = mkIf (cfg.group == "ethereum") { - ethereum = {}; - }; - }; - # Default values are the same as in the binary, they are just written here for convenience. services.erigon.settings = { datadir = mkDefault "/var/lib/erigon"; @@ -98,9 +85,9 @@ in { after = [ "network.target" ]; serviceConfig = { - ExecStart = "${pkgs.erigon}/bin/erigon --config ${configFile}"; - User = "erigon"; - Group = cfg.group; + LoadCredential = "ERIGON_JWT:${cfg.secretJwtPath}"; + ExecStart = "${pkgs.erigon}/bin/erigon --config ${configFile} --authrpc.jwtsecret=%d/ERIGON_JWT"; + DynamicUser = true; Restart = "on-failure"; StateDirectory = "erigon"; CapabilityBoundingSet = ""; diff --git a/nixos/modules/services/blockchain/ethereum/lighthouse.nix b/nixos/modules/services/blockchain/ethereum/lighthouse.nix index 6002b16785a75..db72c62d33044 100644 --- a/nixos/modules/services/blockchain/ethereum/lighthouse.nix +++ b/nixos/modules/services/blockchain/ethereum/lighthouse.nix @@ -57,15 +57,6 @@ in { ''; }; - group = mkOption { - type = types.str; - default = "ethereum"; - description = lib.mdDoc '' - Group of the user running the lighthouse process. This is used to share the jwt - secret with the execution layer. - ''; - }; - execution = { address = mkOption { type = types.str; @@ -221,19 +212,6 @@ in { config = mkIf (cfg.beacon.enable || cfg.validator.enable) { - users = { - users.lighthouse-beacon = { - name = "lighthouse-beacon"; - group = cfg.beacon.group; - description = "Lighthouse beacon node user"; - home = "${cfg.beacon.dataDir}"; - isSystemUser = true; - }; - groups = mkIf (cfg.beacon.group == "ethereum") { - ethereum = {}; - }; - }; - environment.systemPackages = [ pkgs.lighthouse ] ; networking.firewall = mkIf cfg.beacon.enable { @@ -259,14 +237,14 @@ in { --network ${cfg.network} \ --datadir ${cfg.beacon.dataDir}/${cfg.network} \ --execution-endpoint http://${cfg.beacon.execution.address}:${toString cfg.beacon.execution.port} \ - --execution-jwt ${cfg.beacon.execution.jwtPath} \ + --execution-jwt ''${CREDENTIALS_DIRECTORY}/LIGHTHOUSE_JWT \ ${lib.optionalString cfg.beacon.http.enable '' --http --http-address ${cfg.beacon.http.address} --http-port ${toString cfg.beacon.http.port}''} \ ${lib.optionalString cfg.beacon.metrics.enable '' --metrics --metrics-address ${cfg.beacon.metrics.address} --metrics-port ${toString cfg.beacon.metrics.port}''} \ ${cfg.extraArgs} ${cfg.beacon.extraArgs} ''; serviceConfig = { - User = "lighthouse-beacon"; - Group = cfg.beacon.group; + LoadCredential = "LIGHTHOUSE_JWT:${cfg.beacon.execution.jwtPath}"; + DynamicUser = true; Restart = "on-failure"; StateDirectory = "lighthouse-beacon"; NoNewPrivileges = true; |