pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / blockchain / ethereum / erigon.nix
at 23.11-beta 3.8 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4let 5 6 cfg = config.services.erigon; 7 8 settingsFormat = pkgs.formats.toml { }; 9 configFile = settingsFormat.generate "config.toml" cfg.settings; 10in { 11 12 options = { 13 services.erigon = { 14 enable = mkEnableOption (lib.mdDoc "Ethereum implementation on the efficiency frontier"); 15 16 package = mkPackageOptionMD pkgs "erigon" { }; 17 18 extraArgs = mkOption { 19 type = types.listOf types.str; 20 description = lib.mdDoc "Additional arguments passed to Erigon"; 21 default = [ ]; 22 }; 23 24 secretJwtPath = mkOption { 25 type = types.path; 26 description = lib.mdDoc '' 27 Path to the secret jwt used for the http api authentication. 28 ''; 29 default = ""; 30 example = "config.age.secrets.ERIGON_JWT.path"; 31 }; 32 33 settings = mkOption { 34 description = lib.mdDoc '' 35 Configuration for Erigon 36 Refer to <https://github.com/ledgerwatch/erigon#usage> for details on supported values. 37 ''; 38 39 type = settingsFormat.type; 40 41 example = { 42 datadir = "/var/lib/erigon"; 43 chain = "mainnet"; 44 http = true; 45 "http.port" = 8545; 46 "http.api" = ["eth" "debug" "net" "trace" "web3" "erigon"]; 47 ws = true; 48 port = 30303; 49 "authrpc.port" = 8551; 50 "torrent.port" = 42069; 51 "private.api.addr" = "localhost:9090"; 52 "log.console.verbosity" = 3; # info 53 }; 54 55 defaultText = literalExpression '' 56 { 57 datadir = "/var/lib/erigon"; 58 chain = "mainnet"; 59 http = true; 60 "http.port" = 8545; 61 "http.api" = ["eth" "debug" "net" "trace" "web3" "erigon"]; 62 ws = true; 63 port = 30303; 64 "authrpc.port" = 8551; 65 "torrent.port" = 42069; 66 "private.api.addr" = "localhost:9090"; 67 "log.console.verbosity" = 3; # info 68 } 69 ''; 70 }; 71 }; 72 }; 73 74 config = mkIf cfg.enable { 75 # Default values are the same as in the binary, they are just written here for convenience. 76 services.erigon.settings = { 77 datadir = mkDefault "/var/lib/erigon"; 78 chain = mkDefault "mainnet"; 79 http = mkDefault true; 80 "http.port" = mkDefault 8545; 81 "http.api" = mkDefault ["eth" "debug" "net" "trace" "web3" "erigon"]; 82 ws = mkDefault true; 83 port = mkDefault 30303; 84 "authrpc.port" = mkDefault 8551; 85 "torrent.port" = mkDefault 42069; 86 "private.api.addr" = mkDefault "localhost:9090"; 87 "log.console.verbosity" = mkDefault 3; # info 88 }; 89 90 systemd.services.erigon = { 91 description = "Erigon ethereum implemenntation"; 92 wantedBy = [ "multi-user.target" ]; 93 after = [ "network.target" ]; 94 95 serviceConfig = { 96 LoadCredential = "ERIGON_JWT:${cfg.secretJwtPath}"; 97 ExecStart = "${cfg.package}/bin/erigon --config ${configFile} --authrpc.jwtsecret=%d/ERIGON_JWT ${lib.escapeShellArgs cfg.extraArgs}"; 98 DynamicUser = true; 99 Restart = "on-failure"; 100 StateDirectory = "erigon"; 101 CapabilityBoundingSet = ""; 102 NoNewPrivileges = true; 103 PrivateTmp = true; 104 ProtectHome = true; 105 ProtectClock = true; 106 ProtectProc = "noaccess"; 107 ProcSubset = "pid"; 108 ProtectKernelLogs = true; 109 ProtectKernelModules = true; 110 ProtectKernelTunables = true; 111 ProtectControlGroups = true; 112 ProtectHostname = true; 113 RestrictSUIDSGID = true; 114 RestrictRealtime = true; 115 RestrictNamespaces = true; 116 LockPersonality = true; 117 RemoveIPC = true; 118 SystemCallFilter = [ "@system-service" "~@privileged" ]; 119 }; 120 }; 121 }; 122}