Skip to content

Add user option in geth nixos module. #626

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add user option in geth nixos module. #626

wants to merge 4 commits into from

Conversation

@thalin
Copy link
Contributor

@thalin thalin commented Jul 20, 2025

I wanted to manage the user that runs the geth service directly instead of relying on DynamicUser in the systemd config. The existing geth config didn't really allow this, but adding mkDefault to User let me override it in my own config. While I was there, I thought maybe it would be useful to be able to change StateDirectory and ExecStart too, so I went ahead and wrapped those with mkDefault too - but I'm not really sure ExecStart needs it. Looking for a second opinion there.

FWIW, I wrote a little ethOverride function to change the user and add (most of) the settings that DynamicUser covers, which looks like this:

ethOverride = user: {
  DynamicUser = mkForce false;
  RemoveIPC = true;
  PrivateTmp = true;
  NoNewPrivileges = "strict";
  RestrictSUIDSGID = true;
  ProtectSystem = true;
  User = mkForce user;
};

Then I call the function like systemd.services.<service-name>.serviceConfig = ethOverride myuser.

@thalin
Copy link
Contributor Author

thalin commented Jul 20, 2025

This could probably be more well-supported in the module directly of course - adding a user option would be nice. However, this is most expedient for what I needed so here it is.

@thalin
Copy link
Contributor Author

thalin commented Aug 21, 2025

I updated this to add the user option, as mentioned above.

@thalin thalin changed the title Make some geth service config overrideable. Add user option in geth nixos module. Aug 21, 2025
@thalin thalin force-pushed the geth-default-user branch from 9380bd8 to d53e088 Compare August 23, 2025 20:19
@thalin thalin marked this pull request as draft August 23, 2025 20:23
@thalin thalin force-pushed the geth-default-user branch 2 times, most recently from 8073365 to a1db5da Compare August 24, 2025 16:27
thalin added 4 commits August 31, 2025 21:35
@thalin
Make some geth service config overrideable.
cfc6c7e
@thalin
Use the same idea as prysm-beacon to set the user.
b0a3966
@thalin
If a user is set, turn off DynamicUser.
e308981 
Also set all the settings DynamicUser automatically sets. This
ensures that the environment between the two options stays
consistent.
@thalin
Add new dynamicUser option to disable DynamicUser.
3ce8aee 
Default is true which leaves dynamicUser enabled, and when set to false
the systemd service DynamicUser option is disabled but all of the other
options which are automatically enabled by that option are set to
default enabled.
@thalin thalin marked this pull request as ready for review September 1, 2025 01:35
@thalin
Copy link
Contributor Author

thalin commented Sep 1, 2025

OK I think I am happy with this now and think that it doesn't disrupt existing behavior. Any feedback would be appreciated!

@selfuryon selfuryon self-assigned this Sep 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@selfuryon selfuryon

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thalin @selfuryon