From 7f9a576c7abeefe7f6b4a51a16ef14f4d0dc699c Mon Sep 17 00:00:00 2001 From: Ed Kimber Date: Tue, 24 Sep 2024 07:54:29 +0100 Subject: [PATCH] Fix memorydenywrite issue and add keymanager API (#546) fix memorydenywrite issue and add keymanager API --- modules/nimbus-beacon/args.nix | 23 +++++++++++++++++++++++ modules/nimbus-beacon/default.nix | 28 ++++++++++++++++++++++------ 2 files changed, 45 insertions(+), 6 deletions(-) diff --git a/modules/nimbus-beacon/args.nix b/modules/nimbus-beacon/args.nix index ab95dae7..28a864b3 100644 --- a/modules/nimbus-beacon/args.nix +++ b/modules/nimbus-beacon/args.nix @@ -93,6 +93,29 @@ with lib; { description = "The graffiti value that will appear in proposed blocks. You can use a 0x-prefixed hex encoded string to specify raw bytes."; }; + keymanager = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable keymanager API"; + }; + address = mkOption { + type = types.str; + default = "127.0.0.1"; + description = "Host used for keymanager API."; + }; + port = mkOption { + type = types.port; + default = 5053; + description = "Keymanager API PORT"; + }; + token-file = mkOption { + type = types.str; + default = "api-token.txt"; + description = "Keymanager API token file"; + }; + }; + metrics = { enable = mkOption { type = types.bool; diff --git a/modules/nimbus-beacon/default.nix b/modules/nimbus-beacon/default.nix index cdf4fb34..d35d4016 100644 --- a/modules/nimbus-beacon/default.nix +++ b/modules/nimbus-beacon/default.nix @@ -98,8 +98,9 @@ in { else ""; data-dir = if cfg.args.data-dir != null - then "--data-dir=${cfg.args.data-dir}" - else "--data-dir=%S/${serviceName}"; + then cfg.args.data-dir + else "%S/${serviceName}"; + data-dir-arg = "--data-dir=${data-dir}"; scriptArgs = let # filter out certain args which need to be treated differently @@ -116,6 +117,10 @@ in { "--metrics-port" "--payload-builder-enable" "--payload-builder-url" + "--keymanager-enable" + "--keymanager-token-file" + "--keymanager-address" + "--keymanager-port" "--trusted-node-url" # only needed for checkpoint sync ]; isNormalArg = name: (findFirst (arg: hasPrefix arg name) null specialArgs) == null; @@ -137,10 +142,16 @@ in { ++ (optionals cfg.args.payload-builder.enable [ "--payload-builder" "--payload-builder-url=${cfg.args.payload-builder.url}" + ]) + ++ (optionals cfg.args.keymanager.enable [ + "--keymanager" + "--keymanager-address=${cfg.args.keymanager.address}" + "--keymanager-port=${toString cfg.args.keymanager.port}" + "--keymanager-token-file=${data-dir}/${cfg.args.keymanager.token-file}" ]); in '' ${jwt-secret} \ - ${data-dir} \ + ${data-dir-arg} \ ${concatStringsSep " \\\n" filteredArgs} \ ${lib.escapeShellArgs cfg.extraArgs} ''; @@ -154,7 +165,7 @@ in { filteredArgs = builtins.filter isCheckpointArg args; in '' --backfill=false \ - ${data-dir} \ + ${data-dir-arg} \ ${concatStringsSep " \\\n" filteredArgs} ''; in @@ -164,16 +175,21 @@ in { description = "Nimbus Beacon Node (${beaconName})"; serviceConfig = mkMerge [ - baseServiceConfig { + MemoryDenyWriteExecute = false; User = if cfg.args.user != null then cfg.args.user else user; StateDirectory = user; - ExecStartPre = "${cfg.package}/bin/nimbus_beacon_node trustedNodeSync ${checkpointSyncArgs}"; + ExecStartPre = lib.mkBefore [ + '' ${pkgs.coreutils-full}/bin/cp --no-preserve=all --update=none \ + /proc/sys/kernel/random/uuid ${data-dir}/${cfg.args.keymanager.token-file}'' + "${cfg.package}/bin/nimbus_beacon_node trustedNodeSync ${checkpointSyncArgs}" + ]; ExecStart = "${cfg.package}/bin/nimbus_beacon_node ${scriptArgs}"; } + baseServiceConfig (mkIf (cfg.args.jwt-secret != null) { LoadCredential = ["jwt-secret:${cfg.args.jwt-secret}"]; })