config(modules/nimbus-eth2): Add argsFromFile option

MartinNikov · PetarKirov · commit 18c5cffcd0bc · 2024-09-19T15:36:41.000+03:00
diff --git a/modules/nimbus-eth2/default.nix b/modules/nimbus-eth2/default.nix
@@ -6,22 +6,18 @@
 }: let
   modulesLib = import ../lib.nix lib;
 
-  inherit (lib.lists) findFirst sublist last;
-  inherit (lib.strings) hasPrefix;
+  serviceArgs =
+    lib.mapAttrs (
+      beaconName: let
+        serviceName = "nimbus-eth2";
+      in
+        cfg: ((import ./service-args.nix {inherit lib pkgs;}).argsCreate serviceName cfg)
+    )
+    eachBeacon;
+
   inherit (lib.attrsets) zipAttrsWith;
-  inherit
-    (lib)
-    concatStringsSep
-    filterAttrs
-    flatten
-    mapAttrs'
-    mapAttrsToList
-    mkIf
-    mkMerge
-    nameValuePair
-    types
-    ;
-  inherit (modulesLib) mkArgs baseServiceConfig defaultArgReducer;
+  inherit (lib) filterAttrs flatten mapAttrs' mapAttrsToList mkIf mkMerge nameValuePair;
+  inherit (modulesLib) baseServiceConfig;
 
   eachBeacon = config.services.ethereum.nimbus-eth2;
 in {
@@ -57,139 +53,29 @@ in {
     in
       zipAttrsWith (_name: flatten) perService;
 
+    environment = lib.mapAttrs' (beaconName: cfg:
+      lib.nameValuePair "etc" {
+        "ethereum/nimbus-${beaconName}-args" = let
+          argsFromFile = cfg.argsFromFile;
+        in
+          lib.mkIf argsFromFile.enable {
+            source = builtins.toFile "nimbus-${beaconName}-args" ''
+              ARGS="${serviceArgs.${beaconName}.beaconNodeArgs}"
+            '';
+            group = argsFromFile.group;
+            mode = argsFromFile.mode;
+          };
+      })
+    eachBeacon;
+
     systemd.services =
       mapAttrs'
       (
         beaconName: let
           serviceName = "nimbus-eth2";
         in
           cfg: let
-            network =
-              if cfg.args.network != null
-              then "--network=${cfg.args.network}"
-              else "";
-
-            jwtSecret =
-              if cfg.args.jwt-secret != null
-              then ''--jwt-secret="%d/jwt-secret"''
-              else "";
-
-            keymanagerTokenFile =
-              if cfg.args.keymanager.token-file != null
-              then ''--keymanager-token-file="%d/keymanager-token-file"''
-              else "";
-
-            trustedNodeUrl =
-              if cfg.args.trusted-node-url != null
-              then ''--trusted-node-url="${cfg.args.trusted-node-url}"''
-              else "";
-
-            backfilling =
-              if cfg.args.trusted-node-url != null
-              then ''--backfill=${lib.boolToString cfg.args.backfill}''
-              else "";
-
-            web3Url =
-              if cfg.args.web3-urls != null
-              then ''--web3-url=${concatStringsSep " --web3-url=" cfg.args.web3-urls}''
-              else "";
-
-            web3SignerUrls = lib.pipe cfg.args.web3-signer-url [
-              (builtins.map (x: "--web3-signer-url=${x}"))
-              (builtins.concatStringsSep " ")
-            ];
-
-            payloadBuilder =
-              if cfg.args.payload-builder.enable
-              then "--payload-builder=true --payload-builder-url=${cfg.args.payload-builder.url}"
-              else "";
-
-            dataDirPath = "%S/${serviceName}";
-            dataDir = ''--data-dir="${dataDirPath}"'';
-
-            beaconNodeArgs = let
-              # generate args
-              args = let
-                opts = import ./args.nix lib;
-
-                pathReducer = path: let
-                  p =
-                    if (last path == "enable")
-                    then sublist 0 ((builtins.length path) - 1) path
-                    else path;
-                in "--${concatStringsSep "-" p}";
-
-                argFormatter = {
-                  opt,
-                  path,
-                  value,
-                  argReducer ? defaultArgReducer,
-                  pathReducer ? defaultArgReducer,
-                }: let
-                  arg = pathReducer path;
-                in
-                  if (opt.type == types.bool)
-                  then
-                    (
-                      if value
-                      then "${arg}"
-                      else ""
-                    )
-                  else "${arg}=${argReducer value}";
-              in
-                mkArgs {
-                  inherit opts;
-                  inherit (cfg) args;
-                  inherit argFormatter;
-                  inherit pathReducer;
-                };
-              # filter out certain args which need to be treated differently
-              specialArgs = ["--network" "--jwt-secret" "--web3-urls" "--web3-signer-url" "--trusted-node-url" "--backfill" "--payload-builder" "--keymanager-token-file"];
-              isNormalArg = name: (findFirst (arg: hasPrefix arg name) null specialArgs) == null;
-              filteredArgs = builtins.filter isNormalArg args;
-            in ''
-              ${network} ${jwtSecret} \
-              ${web3Url} \
-              ${web3SignerUrls} \
-              ${dataDir} \
-              ${keymanagerTokenFile} \
-              ${payloadBuilder} \
-              ${concatStringsSep " \\\n" filteredArgs} \
-              ${lib.escapeShellArgs cfg.extraArgs}
-            '';
-
-            nodeSyncArgs = ''
-              ${network} \
-              ${trustedNodeUrl} \
-              ${backfilling}'';
-
-            binaryName =
-              if cfg.args.network == "gnosis" || cfg.args.network == "chiado"
-              then "${cfg.package}/bin/nimbus_beacon_node_gnosis"
-              else "${cfg.package}/bin/nimbus_beacon_node";
-
-            # When running trustedNodeSync after passing once, it gives an error
-            # and doesn't continue to execute execStart. The problem occurs when
-            # the service is restarted and execStartPre runs again. So we check
-            # for the existence of a file in the folder, and that way we know if
-            # Nimbus is running for the first time or not.
-            trustedNodeSync =
-              if cfg.args.trusted-node-url != null
-              then let
-                script = pkgs.writeShellScript "trustedNodeSync.sh" ''
-                  datadir="$1"
-                  shift
-                  if [ -f "$datadir/db/nbc.sqlite3" ]; then
-                    echo "skipping trustedNodeSync";
-                    exit 0
-                  else
-                    echo "starting trustedNodeSync";
-                    set -x
-                    ${binaryName} trustedNodeSync "$@"
-                  fi
-                '';
-              in "${script} ${dataDirPath} ${dataDir} ${nodeSyncArgs}"
-              else null;
+            inherit (serviceArgs."${beaconName}") trustedNodeSync execStartCommand;
           in
             nameValuePair serviceName (mkIf cfg.enable {
               after = ["network.target"];
@@ -202,8 +88,9 @@ in {
                 {
                   User = serviceName;
                   StateDirectory = serviceName;
+                  EnvironmentFile = lib.mkIf cfg.argsFromFile.enable "/etc/ethereum/nimbus-${beaconName}-args";
                   ExecStartPre = trustedNodeSync;
-                  ExecStart = ''${binaryName} ${beaconNodeArgs}'';
+                  ExecStart = execStartCommand;
                   MemoryDenyWriteExecute = "false"; # causes a library loading error
                 }
                 (mkIf (cfg.args.jwt-secret != null) {
diff --git a/modules/nimbus-eth2/options.nix b/modules/nimbus-eth2/options.nix
@@ -30,6 +30,22 @@
         description = lib.mdDoc "Open ports in the firewall for any enabled networking services";
       };
 
+      argsFromFile = {
+        enable = mkEnableOption (mdDoc "Create a file in the etc directory from which arguments can be modified");
+        group = mkOption {
+          type = types.str;
+          default = "";
+          example = "devops";
+          description = lib.mdDoc "Group which can modify the arguments file";
+        };
+        mode = mkOption {
+          type = types.str;
+          default = "0664";
+          example = "0060";
+          description = lib.mdDoc "Arguments file mode";
+        };
+      };
+
       # mixin backup options
       backup = let
         inherit (import ../backup/lib.nix lib) options;
diff --git a/modules/nimbus-eth2/service-args.nix b/modules/nimbus-eth2/service-args.nix
@@ -0,0 +1,151 @@
+{
+  lib,
+  pkgs,
+  ...
+}: let
+  modulesLib = import ../lib.nix lib;
+
+  inherit (lib.lists) findFirst sublist last;
+  inherit (lib.strings) hasPrefix;
+  inherit (lib) concatStringsSep types;
+  inherit (modulesLib) mkArgs defaultArgReducer;
+in {
+  argsCreate = serviceName: cfg: let
+    network =
+      if cfg.args.network != null
+      then "--network=${cfg.args.network}"
+      else "";
+
+    jwtSecret =
+      if cfg.args.jwt-secret != null
+      then ''--jwt-secret="%d/jwt-secret"''
+      else "";
+
+    keymanagerTokenFile =
+      if cfg.args.keymanager.token-file != null
+      then ''--keymanager-token-file="%d/keymanager-token-file"''
+      else "";
+
+    trustedNodeUrl =
+      if cfg.args.trusted-node-url != null
+      then ''--trusted-node-url="${cfg.args.trusted-node-url}"''
+      else "";
+
+    backfilling =
+      if cfg.args.trusted-node-url != null
+      then ''--backfill=${lib.boolToString cfg.args.backfill}''
+      else "";
+
+    web3Url =
+      if cfg.args.web3-urls != null
+      then ''--web3-url=${concatStringsSep " --web3-url=" cfg.args.web3-urls}''
+      else "";
+
+    web3SignerUrls = lib.pipe cfg.args.web3-signer-url [
+      (builtins.map (x: "--web3-signer-url=${x}"))
+      (builtins.concatStringsSep " ")
+    ];
+
+    payloadBuilder =
+      if cfg.args.payload-builder.enable
+      then "--payload-builder=true --payload-builder-url=${cfg.args.payload-builder.url}"
+      else "";
+
+    dataDirPath = "%S/${serviceName}";
+    dataDir = ''--data-dir="${dataDirPath}"'';
+  in rec {
+    beaconNodeArgs = let
+      # generate args
+      args = let
+        opts = import ./args.nix lib;
+
+        pathReducer = path: let
+          p =
+            if (last path == "enable")
+            then sublist 0 ((builtins.length path) - 1) path
+            else path;
+        in "--${concatStringsSep "-" p}";
+
+        argFormatter = {
+          opt,
+          path,
+          value,
+          argReducer ? defaultArgReducer,
+          pathReducer ? defaultArgReducer,
+        }: let
+          arg = pathReducer path;
+        in
+          if (opt.type == types.bool)
+          then
+            (
+              if value
+              then "${arg}"
+              else ""
+            )
+          else "${arg}=${argReducer value}";
+      in
+        mkArgs {
+          inherit opts;
+          inherit (cfg) args;
+          inherit argFormatter;
+          inherit pathReducer;
+        };
+      # filter out certain args which need to be treated differently
+      specialArgs = ["--network" "--jwt-secret" "--web3-urls" "--web3-signer-url" "--trusted-node-url" "--backfill" "--payload-builder" "--keymanager-token-file"];
+      isNormalArg = name: (findFirst (arg: hasPrefix arg name) null specialArgs) == null;
+      filteredArgs = builtins.filter isNormalArg args;
+    in ''
+      ${network} \
+      ${web3Url} \
+      ${web3SignerUrls} \
+      ${payloadBuilder} \
+      ${concatStringsSep " \\\n" filteredArgs} \
+      ${lib.escapeShellArgs cfg.extraArgs}
+    '';
+
+    systemdPathsArgs = ''
+      ${jwtSecret} \
+      ${dataDir} \
+      ${keymanagerTokenFile} \
+    '';
+
+    nodeSyncArgs = ''
+      ${network} \
+      ${trustedNodeUrl} \
+      ${backfilling}
+    '';
+
+    binaryName =
+      if cfg.args.network == "gnosis" || cfg.args.network == "chiado"
+      then "${cfg.package}/bin/nimbus_beacon_node_gnosis"
+      else "${cfg.package}/bin/nimbus_beacon_node";
+
+    # When running trustedNodeSync after passing once, it gives an error
+    # and doesn't continue to execute execStart. The problem occurs when
+    # the service is restarted and execStartPre runs again. So we check
+    # for the existence of a file in the folder, and that way we know if
+    # Nimbus is running for the first time or not.
+    trustedNodeSync =
+      if cfg.args.trusted-node-url != null
+      then let
+        script = pkgs.writeShellScript "trustedNodeSync.sh" ''
+          datadir="$1"
+          shift
+          if [ -f "$datadir/db/nbc.sqlite3" ]; then
+            echo "skipping trustedNodeSync";
+            exit 0
+          else
+            echo "starting trustedNodeSync";
+            set -x
+            ${binaryName} trustedNodeSync "$@"
+          fi
+        '';
+      in "${script} ${dataDirPath} ${dataDir} ${nodeSyncArgs}"
+      else null;
+
+    execStartCommand =
+      if cfg.argsFromFile.enable
+      then ''${binaryName} ${systemdPathsArgs} $ARGS''
+      else ''${binaryName} ${systemdPathsArgs} ${beaconNodeArgs}'';
+  };
+}
