pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / blockchain / ethereum / erigon.nix
at 23.11-pre 3.7 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4let 5 6 cfg = config.services.erigon; 7 8 settingsFormat = pkgs.formats.toml { }; 9 configFile = settingsFormat.generate "config.toml" cfg.settings; 10in { 11 12 options = { 13 services.erigon = { 14 enable = mkEnableOption (lib.mdDoc "Ethereum implementation on the efficiency frontier"); 15 16 extraArgs = mkOption { 17 type = types.listOf types.str; 18 description = lib.mdDoc "Additional arguments passed to Erigon"; 19 default = [ ]; 20 }; 21 22 secretJwtPath = mkOption { 23 type = types.path; 24 description = lib.mdDoc '' 25 Path to the secret jwt used for the http api authentication. 26 ''; 27 default = ""; 28 example = "config.age.secrets.ERIGON_JWT.path"; 29 }; 30 31 settings = mkOption { 32 description = lib.mdDoc '' 33 Configuration for Erigon 34 Refer to <https://github.com/ledgerwatch/erigon#usage> for details on supported values. 35 ''; 36 37 type = settingsFormat.type; 38 39 example = { 40 datadir = "/var/lib/erigon"; 41 chain = "mainnet"; 42 http = true; 43 "http.port" = 8545; 44 "http.api" = ["eth" "debug" "net" "trace" "web3" "erigon"]; 45 ws = true; 46 port = 30303; 47 "authrpc.port" = 8551; 48 "torrent.port" = 42069; 49 "private.api.addr" = "localhost:9090"; 50 "log.console.verbosity" = 3; # info 51 }; 52 53 defaultText = literalExpression '' 54 { 55 datadir = "/var/lib/erigon"; 56 chain = "mainnet"; 57 http = true; 58 "http.port" = 8545; 59 "http.api" = ["eth" "debug" "net" "trace" "web3" "erigon"]; 60 ws = true; 61 port = 30303; 62 "authrpc.port" = 8551; 63 "torrent.port" = 42069; 64 "private.api.addr" = "localhost:9090"; 65 "log.console.verbosity" = 3; # info 66 } 67 ''; 68 }; 69 }; 70 }; 71 72 config = mkIf cfg.enable { 73 # Default values are the same as in the binary, they are just written here for convenience. 74 services.erigon.settings = { 75 datadir = mkDefault "/var/lib/erigon"; 76 chain = mkDefault "mainnet"; 77 http = mkDefault true; 78 "http.port" = mkDefault 8545; 79 "http.api" = mkDefault ["eth" "debug" "net" "trace" "web3" "erigon"]; 80 ws = mkDefault true; 81 port = mkDefault 30303; 82 "authrpc.port" = mkDefault 8551; 83 "torrent.port" = mkDefault 42069; 84 "private.api.addr" = mkDefault "localhost:9090"; 85 "log.console.verbosity" = mkDefault 3; # info 86 }; 87 88 systemd.services.erigon = { 89 description = "Erigon ethereum implemenntation"; 90 wantedBy = [ "multi-user.target" ]; 91 after = [ "network.target" ]; 92 93 serviceConfig = { 94 LoadCredential = "ERIGON_JWT:${cfg.secretJwtPath}"; 95 ExecStart = "${pkgs.erigon}/bin/erigon --config ${configFile} --authrpc.jwtsecret=%d/ERIGON_JWT ${lib.escapeShellArgs cfg.extraArgs}"; 96 DynamicUser = true; 97 Restart = "on-failure"; 98 StateDirectory = "erigon"; 99 CapabilityBoundingSet = ""; 100 NoNewPrivileges = true; 101 PrivateTmp = true; 102 ProtectHome = true; 103 ProtectClock = true; 104 ProtectProc = "noaccess"; 105 ProcSubset = "pid"; 106 ProtectKernelLogs = true; 107 ProtectKernelModules = true; 108 ProtectKernelTunables = true; 109 ProtectControlGroups = true; 110 ProtectHostname = true; 111 RestrictSUIDSGID = true; 112 RestrictRealtime = true; 113 RestrictNamespaces = true; 114 LockPersonality = true; 115 RemoveIPC = true; 116 SystemCallFilter = [ "@system-service" "~@privileged" ]; 117 }; 118 }; 119 }; 120}