feat(modules/nimbus-eth2): Add keymanager options

MartinNikov · PetarKirov · commit e7fe1d0b35ca · 2024-03-12T14:00:54.000+02:00
diff --git a/modules/nimbus-eth2/args.nix b/modules/nimbus-eth2/args.nix
@@ -135,4 +135,31 @@ with lib; {
       description = mdDoc "Payload builder URL.";
     };
   };
+
+  keymanager = {
+    enable = lib.mkEnableOption (mdDoc "Enable the REST keymanager API");
+    address = mkOption {
+      type = types.str;
+      default = "127.0.0.1";
+      description = mdDoc "Listening port for the REST keymanager API.";
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 5052;
+      description = mdDoc "Listening port for the REST keymanager API.";
+    };
+
+    allow-origin = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = mdDoc "Limit the access to the Keymanager API to a particular hostname (for CORS-enabled clients such as browsers).";
+    };
+
+    token-file = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      description = mdDoc "A file specifying the authorization token required for accessing the keymanager API.";
+    };
+  };
 }
diff --git a/modules/nimbus-eth2/default.nix b/modules/nimbus-eth2/default.nix
@@ -74,6 +74,11 @@ in {
               then ''--jwt-secret="%d/jwt-secret"''
               else "";
 
+            keymanagerTokenFile =
+              if cfg.args.keymanager.token-file != null
+              then ''--keymanager-token-file="%d/keymanager-token-file"''
+              else "";
+
             trustedNodeUrl =
               if cfg.args.trusted-node-url != null
               then ''--trusted-node-url="${cfg.args.trusted-node-url}"''
@@ -134,13 +139,14 @@ in {
                   inherit pathReducer;
                 };
               # filter out certain args which need to be treated differently
-              specialArgs = ["--network" "--jwt-secret" "--web3-urls" "--trusted-node-url" "--backfill" "--payload-builder"];
+              specialArgs = ["--network" "--jwt-secret" "--web3-urls" "--trusted-node-url" "--backfill" "--payload-builder" "--keymanager-token-file"];
               isNormalArg = name: (findFirst (arg: hasPrefix arg name) null specialArgs) == null;
               filteredArgs = builtins.filter isNormalArg args;
             in ''
               ${network} ${jwtSecret} \
               ${web3Url} \
               ${dataDir} \
+              ${keymanagerTokenFile} \
               ${payloadBuilder} \
               ${concatStringsSep " \\\n" filteredArgs} \
               ${lib.escapeShellArgs cfg.extraArgs}
@@ -193,6 +199,9 @@ in {
                 (mkIf (cfg.args.jwt-secret != null) {
                   LoadCredential = ["jwt-secret:${cfg.args.jwt-secret}"];
                 })
+                (mkIf (cfg.args.keymanager.token-file != null) {
+                  LoadCredential = ["keymanager-token-file:${cfg.args.keymanager.token-file}"];
+                })
               ];
             })
       )
