Skip to content

Commit 7f9a576

Browse files
ekimberekimber
authored
Fix memorydenywrite issue and add keymanager API (nix-community#546)
fix memorydenywrite issue and add keymanager API
1 parent 0f87d1c commit 7f9a576

File tree

2 files changed

+45
-6
lines changed

2 files changed

+45
-6
lines changed

modules/nimbus-beacon/args.nix

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,29 @@ with lib; {
9393
description = "The graffiti value that will appear in proposed blocks. You can use a 0x-prefixed hex encoded string to specify raw bytes.";
9494
};
9595

96+
keymanager = {
97+
enable = mkOption {
98+
type = types.bool;
99+
default = false;
100+
description = "Enable keymanager API";
101+
};
102+
address = mkOption {
103+
type = types.str;
104+
default = "127.0.0.1";
105+
description = "Host used for keymanager API.";
106+
};
107+
port = mkOption {
108+
type = types.port;
109+
default = 5053;
110+
description = "Keymanager API PORT";
111+
};
112+
token-file = mkOption {
113+
type = types.str;
114+
default = "api-token.txt";
115+
description = "Keymanager API token file";
116+
};
117+
};
118+
96119
metrics = {
97120
enable = mkOption {
98121
type = types.bool;

modules/nimbus-beacon/default.nix

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -98,8 +98,9 @@ in {
9898
else "";
9999
data-dir =
100100
if cfg.args.data-dir != null
101-
then "--data-dir=${cfg.args.data-dir}"
102-
else "--data-dir=%S/${serviceName}";
101+
then cfg.args.data-dir
102+
else "%S/${serviceName}";
103+
data-dir-arg = "--data-dir=${data-dir}";
103104

104105
scriptArgs = let
105106
# filter out certain args which need to be treated differently
@@ -116,6 +117,10 @@ in {
116117
"--metrics-port"
117118
"--payload-builder-enable"
118119
"--payload-builder-url"
120+
"--keymanager-enable"
121+
"--keymanager-token-file"
122+
"--keymanager-address"
123+
"--keymanager-port"
119124
"--trusted-node-url" # only needed for checkpoint sync
120125
];
121126
isNormalArg = name: (findFirst (arg: hasPrefix arg name) null specialArgs) == null;
@@ -137,10 +142,16 @@ in {
137142
++ (optionals cfg.args.payload-builder.enable [
138143
"--payload-builder"
139144
"--payload-builder-url=${cfg.args.payload-builder.url}"
145+
])
146+
++ (optionals cfg.args.keymanager.enable [
147+
"--keymanager"
148+
"--keymanager-address=${cfg.args.keymanager.address}"
149+
"--keymanager-port=${toString cfg.args.keymanager.port}"
150+
"--keymanager-token-file=${data-dir}/${cfg.args.keymanager.token-file}"
140151
]);
141152
in ''
142153
${jwt-secret} \
143-
${data-dir} \
154+
${data-dir-arg} \
144155
${concatStringsSep " \\\n" filteredArgs} \
145156
${lib.escapeShellArgs cfg.extraArgs}
146157
'';
@@ -154,7 +165,7 @@ in {
154165
filteredArgs = builtins.filter isCheckpointArg args;
155166
in ''
156167
--backfill=false \
157-
${data-dir} \
168+
${data-dir-arg} \
158169
${concatStringsSep " \\\n" filteredArgs}
159170
'';
160171
in
@@ -164,16 +175,21 @@ in {
164175
description = "Nimbus Beacon Node (${beaconName})";
165176

166177
serviceConfig = mkMerge [
167-
baseServiceConfig
168178
{
179+
MemoryDenyWriteExecute = false;
169180
User =
170181
if cfg.args.user != null
171182
then cfg.args.user
172183
else user;
173184
StateDirectory = user;
174-
ExecStartPre = "${cfg.package}/bin/nimbus_beacon_node trustedNodeSync ${checkpointSyncArgs}";
185+
ExecStartPre = lib.mkBefore [
186+
'' ${pkgs.coreutils-full}/bin/cp --no-preserve=all --update=none \
187+
/proc/sys/kernel/random/uuid ${data-dir}/${cfg.args.keymanager.token-file}''
188+
"${cfg.package}/bin/nimbus_beacon_node trustedNodeSync ${checkpointSyncArgs}"
189+
];
175190
ExecStart = "${cfg.package}/bin/nimbus_beacon_node ${scriptArgs}";
176191
}
192+
baseServiceConfig
177193
(mkIf (cfg.args.jwt-secret != null) {
178194
LoadCredential = ["jwt-secret:${cfg.args.jwt-secret}"];
179195
})

0 commit comments

Comments
 (0)