Merge pull request #288401 from katexochen/bees/refactor

    github = "Atry";

    githubId = 601530;

  };

  attila-lendvai = {

    name = "Attila Lendvai";

    email = "attila@lendvai.name";

    github = "attila-lendvai";

    githubId = 840345;

  };

  auchter = {

    name = "Michael Auchter";

    email = "a@phire.org";

  ./services/networking/autossh.nix

  ./services/networking/avahi-daemon.nix

  ./services/networking/babeld.nix

  ./services/networking/bee-clef.nix

  ./services/networking/bee.nix

  ./services/networking/biboumi.nix

  ./services/networking/bind.nix

{ config, lib, pkgs, ... }:

# NOTE for now nothing is installed into /etc/bee-clef/. the config files are used as read-only from the nix store.

with lib;

let

  cfg = config.services.bee-clef;

in {

  meta = {

    maintainers = with maintainers; [ attila-lendvai ];

  };

  ### interface

  options = {

    services.bee-clef = {

      enable = mkEnableOption (lib.mdDoc "clef external signer instance for Ethereum Swarm Bee");

      dataDir = mkOption {

        type = types.nullOr types.str;

        default = "/var/lib/bee-clef";

        description = lib.mdDoc ''

          Data dir for bee-clef. Beware that some helper scripts may not work when changed!

          The service itself should work fine, though.

        '';

      };

      passwordFile = mkOption {

        type = types.nullOr types.str;

        default = "/var/lib/bee-clef/password";

        description = lib.mdDoc "Password file for bee-clef.";

      };

      user = mkOption {

        type = types.str;

        default = "bee-clef";

        description = lib.mdDoc ''

          User the bee-clef daemon should execute under.

        '';

      };

      group = mkOption {

        type = types.str;

        default = "bee-clef";

        description = lib.mdDoc ''

          Group the bee-clef daemon should execute under.

        '';

      };

    };

  };

  ### implementation

  config = mkIf cfg.enable {

    # if we ever want to have rules.js under /etc/bee-clef/

    # environment.etc."bee-clef/rules.js".source = ${pkgs.bee-clef}/rules.js

    systemd.packages = [ pkgs.bee-clef ]; # include the upstream bee-clef.service file

    systemd.tmpfiles.rules = [

        "d '${cfg.dataDir}/'         0750 ${cfg.user} ${cfg.group}"

        "d '${cfg.dataDir}/keystore' 0700 ${cfg.user} ${cfg.group}"

      ];

    systemd.services.bee-clef = {

      path = [

        # these are needed for the ensure-clef-account script

        pkgs.coreutils

        pkgs.gnused

        pkgs.gawk

      ];

      wantedBy = [ "bee.service" "multi-user.target" ];

      serviceConfig = {

        User = cfg.user;

        Group = cfg.group;

        ExecStartPre = ''${pkgs.bee-clef}/share/bee-clef/ensure-clef-account "${cfg.dataDir}" "${pkgs.bee-clef}/share/bee-clef/"'';

        ExecStart = [

          "" # this hides/overrides what's in the original entry

          "${pkgs.bee-clef}/share/bee-clef/bee-clef-service start"

        ];

        ExecStop = [

          "" # this hides/overrides what's in the original entry

          "${pkgs.bee-clef}/share/bee-clef/bee-clef-service stop"

        ];

        Environment = [

          "CONFIGDIR=${cfg.dataDir}"

          "PASSWORD_FILE=${cfg.passwordFile}"

        ];

      };

    };

    users.users = optionalAttrs (cfg.user == "bee-clef") {

      bee-clef = {

        group = cfg.group;

        home = cfg.dataDir;

        isSystemUser = true;

        description = "Daemon user for the bee-clef service";

      };

    };

    users.groups = optionalAttrs (cfg.group == "bee-clef") {

      bee-clef = {};

    };

  };

}

in {

  meta = {

    # doc = ./bee.xml;

    maintainers = with maintainers; [ attila-lendvai ];

    maintainers = with maintainers; [ ];

  };

  ### interface

      }

    ];

    warnings = optional (! config.services.bee-clef.enable) "The bee service requires an external signer. Consider setting `config.services.bee-clef.enable` = true";

    services.bee.settings = {

      data-dir             = lib.mkDefault "/var/lib/bee";

      password-file        = lib.mkDefault "/var/lib/bee/password";

      clef-signer-enable   = lib.mkDefault true;

      clef-signer-endpoint = lib.mkDefault "/var/lib/bee-clef/clef.ipc";

      swap-endpoint        = lib.mkDefault "https://rpc.slock.it/goerli";

    };

    ];

    systemd.services.bee = {

      requires = optional config.services.bee-clef.enable

        "bee-clef.service";

      wantedBy = [ "multi-user.target" ];

      serviceConfig = {

It is recommended to use external signer with bee.

Check documentation for more info:

- SWAP https://docs.ethswarm.org/docs/installation/manual#swap-bandwidth-incentives

- External signer https://docs.ethswarm.org/docs/installation/bee-clef

After you finish configuration run 'sudo bee-get-addr'."

        fi

        home = cfg.settings.data-dir;

        isSystemUser = true;

        description = "Daemon user for Ethereum Swarm Bee";

        extraGroups = optional config.services.bee-clef.enable

          config.services.bee-clef.group;

      };

    };

From 04933c578f51aa1f536991318dc5aede57f81c0d Mon Sep 17 00:00:00 2001

From: Attila Lendvai <attila@lendvai.name>

Date: Sat, 30 Jan 2021 14:02:02 +0100

Subject: [PATCH 1/2] clef-service: accept default CONFIGDIR from the

 environment

---

 packaging/bee-clef-service | 15 ++++++++++-----

 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/packaging/bee-clef-service b/packaging/bee-clef-service

index 10bcd92..34c7edd 100755

--- a/packaging/bee-clef-service

+++ b/packaging/bee-clef-service

@@ -1,16 +1,21 @@

 #!/usr/bin/env sh

 start() {

-    KEYSTORE=/var/lib/bee-clef/keystore

-    CONFIGDIR=/var/lib/bee-clef

+    if [ -z "$CONFIGDIR" ]; then

+        CONFIGDIR=/var/lib/bee-clef

+    fi

+    if [ -z "$PASSWORD_FILE" ]; then

+        PASSWORD_FILE=${CONFIGDIR}/password

+    fi

+    KEYSTORE=${CONFIGDIR}/keystore

+    SECRET=$(cat ${PASSWORD_FILE})

     CHAINID=5

-    SECRET=$(cat /var/lib/bee-clef/password)

     # clef with every start sets permissions back to 600

-    (sleep 4; chmod 660 /var/lib/bee-clef/clef.ipc) &

+    (sleep 4; chmod 660 ${CONFIGDIR}/clef.ipc) &

     ( sleep 2; cat << EOF

 { "jsonrpc": "2.0", "id":1, "result": { "text":"$SECRET" } }

 EOF

-) | clef --stdio-ui --keystore $KEYSTORE --configdir $CONFIGDIR --chainid $CHAINID --rules /etc/bee-clef/rules.js --nousb --4bytedb-custom /etc/bee-clef/4byte.json --pcscdpath "" --auditlog "" --loglevel 3 --ipcpath /var/lib/bee-clef

+) | clef --stdio-ui --keystore $KEYSTORE --configdir $CONFIGDIR --chainid $CHAINID --rules /etc/bee-clef/rules.js --nousb --4bytedb-custom /etc/bee-clef/4byte.json --pcscdpath "" --auditlog "" --loglevel 3 --ipcpath ${CONFIGDIR}

 }

 stop() {

-- 

2.29.2