Bug: jwtsecret and execution-jwt paths ignored in Reth and Lighthouse services #732
Description
Context
When setting jwtsecret and execution-jwt in config.nix for services.ethereum.reth.mainnet and services.ethereum.lighthouse-beacon.mainnet, the generated systemd units do not respect the configured file paths.
Bug description
In reth module i've set the jwtsecret option. Docs
In lighthouse module i've set the execution-jwt option. Docs
config.nix
{
inputs,
config,
...
}: {
imports = [
inputs.ethereum-nix.nixosModules.default
];
services.ethereum = {
reth.mainnet = {
enable = true;
openFirewall = true;
args = {
full = true;
authrpc = {
port = 8551;
# jwtsecret = config.sops.secrets.jwt-secret.path;
# JWT Secret is present at this path
jwtsecret = "/run/secrets/jwt-secret";
};
http = {
enable = true;
api = ["all"];
addr = "127.0.0.1";
port = 8545;
};
ws = {
enable = true;
api = ["all"];
addr = "127.0.0.1";
port = 8546;
};
};
};
lighthouse-beacon.mainnet = {
enable = true;
openFirewall = true;
args = {
# execution-jwt = config.sops.secrets.jwt-secret.path;
# JWT Secret is present at this path
execution-jwt = "/run/secrets/jwt-secret";
execution-endpoint = "http://localhost:8551";
checkpoint-sync-url = "https://mainnet.checkpoint.sigp.io";
};
};
};
environment.systemPackages = with inputs.ethereum-nix.packages."x86_64-linux"; [
reth
lighthouse
];
}Instead of using the specified /run/secrets/jwt-secret, the services are expecting credentials at /run/credentials/..., resulting in both units failing.
Systemd status for reth-mainnet.service (look at the --authrpc.jwtsecret arg)
node ~ ❯❯❯ sudo systemctl status reth-mainnet.service
× reth-mainnet.service - Reth Ethereum node (mainnet)
Loaded: loaded (/etc/systemd/system/reth-mainnet.service; enabled; preset: ignored)
Active: failed (Result: exit-code) since Fri 2025-10-31 12:49:42 IST; 55s ago
Duration: 19ms
Invocation: 16ef3f6cad4443db818718147636830a
Process: 30697 ExecStart=/nix/store/1vz4rj2c5y65jydixxyc42xlrcjvb65c-reth-1.8.2/bin/reth node --log.file.directory /var/lib/reth-mainnet/logs --datadir /var/lib/reth-mainnet --authrpc.jwtsecret /run/credentials/reth-mainnet.service/jwtsecret --authrpc.addr 127.0.0.1 --authrp>
Main PID: 30697 (code=exited, status=2)
IP: 0B in, 0B out
IO: 0B read, 0B written
Mem peak: 9.1M
CPU: 54ms
Oct 31 12:49:42 node systemd[1]: reth-mainnet.service: Scheduled restart job, restart counter is at 5.
Oct 31 12:49:42 node systemd[1]: reth-mainnet.service: Start request repeated too quickly.
Oct 31 12:49:42 node systemd[1]: reth-mainnet.service: Failed with result 'exit-code'.
Oct 31 12:49:42 node systemd[1]: Failed to start Reth Ethereum node (mainnet).
Systemd status for lighthouse-beacon-mainnet.service (look at the --execution-jwt arg)
node ~ ❯❯❯ sudo systemctl status lighthouse-beacon-mainnet.service
× lighthouse-beacon-mainnet.service - Lighthouse Beacon Node (mainnet)
Loaded: loaded (/etc/systemd/system/lighthouse-beacon-mainnet.service; enabled; preset: ignored)
Active: failed (Result: exit-code) since Fri 2025-10-31 12:49:45 IST; 48s ago
Duration: 589ms
Invocation: 627719dbf4ef4f738cac1287aa1d644c
Process: 30797 ExecStart=/nix/store/qn4xk3wn63p5iw2dhhzmccfvmmipyqba-lighthouse-7.1.0/bin/lighthouse beacon --execution-jwt /run/credentials/lighthouse-beacon-mainnet.service/execution-jwt --datadir /var/lib/lighthouse-mainnet --checkpoint-sync-url https://mainnet.checkpoint>
Main PID: 30797 (code=exited, status=1/FAILURE)
IP: 0B in, 0B out
IO: 0B read, 485.4M written
Mem peak: 523.9M
CPU: 619ms
Oct 31 12:49:45 node systemd[1]: lighthouse-beacon-mainnet.service: Scheduled restart job, restart counter is at 5.
Oct 31 12:49:45 node systemd[1]: lighthouse-beacon-mainnet.service: Start request repeated too quickly.
Oct 31 12:49:45 node systemd[1]: lighthouse-beacon-mainnet.service: Failed with result 'exit-code'.
Oct 31 12:49:45 node systemd[1]: Failed to start Lighthouse Beacon Node (mainnet).
Oct 31 12:49:45 node systemd[1]: lighthouse-beacon-mainnet.service: Consumed 619ms CPU time, 523.9M memory peak, 485.4M written to disk.
Steps to reproduce
- Add this in your configuration file
services.ethereum = {
reth.mainnet = {
enable = true;
openFirewall = true;
args = {
full = true;
authrpc = {
port = 8551;
# jwtsecret = config.sops.secrets.jwt-secret.path;
jwtsecret = "/run/secrets/jwt-secret";
};
http = {
enable = true;
api = ["all"];
addr = "127.0.0.1";
port = 8545;
};
ws = {
enable = true;
api = ["all"];
addr = "127.0.0.1";
port = 8546;
};
};
};
lighthouse-beacon.mainnet = {
enable = true;
openFirewall = true;
args = {
# execution-jwt = config.sops.secrets.jwt-secret.path;
execution-jwt = "/run/secrets/jwt-secret";
execution-endpoint = "http://localhost:8551";
checkpoint-sync-url = "https://mainnet.checkpoint.sigp.io";
};
};
};- Rebuild nixos configurations
- Check systemd logs for
reth-mainnet.serviceandlighthouse-beacon-mainnet.service
Before submitting
- I have attached links to the documentation, and possibly related issues and discussions.