Merge pull request #10 from cspr-rad/casper-node-nixos-module

casper-node: add nixos-module and nixos-test

Author: marijanp

Diff for: flake.lock

@@ -16,9 +16,13 @@
       url = "github:oxalica/rust-overlay";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, rust-overlay, ... }:
+  outputs = { self, nixpkgs, rust-overlay, agenix, ... }:
     let
       eachSystem = systems: f:
         let
@@ -43,31 +47,50 @@
         "x86_64-linux"
       ];
     in
-    {
-      herculesCI.ciSystems = [ "x86_64-linux" ];
-      overlays.default = import ./overlay.nix;
-    }
-    // eachDefaultSystem (system:
-      let
-        pkgs = nixpkgs.legacyPackages.${system}.extend (import rust-overlay);
-        csprpkgs = pkgs.callPackage ./scope.nix { makeScope = pkgs.lib.makeScope; };
-      in
+    nixpkgs.lib.recursiveUpdate
       {
-        packages = {
-          inherit (csprpkgs)
-            casper-node
-            casper-node-contracts
-            casper-node-launcher
-            casper-client-rs
-            ;
-        };
-        formatter = pkgs.nixpkgs-fmt;
+        herculesCI.ciSystems = [ "x86_64-linux" "aarch64-linux" ];
+
+        overlays.default = import ./overlay.nix;
+
+        nixosModules.casper-node =
+          { pkgs, lib, ... }:
+          {
+            imports = [ ./nixos/modules/casper-node.nix ];
+            services.casper-node.package = self.packages.${pkgs.system}.casper-node;
+          };
+
+        checks.x86_64-linux.casper-node-smoke-test =
+          let
+            pkgs = nixpkgs.legacyPackages.x86_64-linux;
+          in
+          pkgs.callPackage ./nixos/tests/casper-node/smoke-test.nix {
+            casperNodeModule = self.nixosModules.casper-node;
+            agenixModule = agenix.nixosModules.age;
+          };
+      }
+      (eachDefaultSystem (system:
+        let
+          pkgs = nixpkgs.legacyPackages.${system}.extend (import rust-overlay);
+          csprpkgs = pkgs.callPackage ./scope.nix { makeScope = pkgs.lib.makeScope; };
+        in
+        {
+          packages = {
+            inherit (csprpkgs)
+              casper-node
+              casper-node-contracts
+              casper-node-launcher
+              casper-client-rs
+              ;
+          };
+          formatter = pkgs.nixpkgs-fmt;
 
-        checks.format = pkgs.runCommand "format-check" { buildInputs = [ pkgs.nixpkgs-fmt ]; } ''
-          set -euo pipefail
-          cd ${self}
-          nixpkgs-fmt --check .
-          touch $out
-        '';
-      });
+          checks.format = pkgs.runCommand "format-check" { buildInputs = [ pkgs.nixpkgs-fmt ]; } ''
+            set -euo pipefail
+            cd ${self}
+            nixpkgs-fmt --check .
+            touch $out
+          '';
+        })
+      );
 }

Diff for: flake.nix

@@ -0,0 +1,120 @@
+{ lib, pkgs, config, ... }:
+let
+  inherit (lib)
+    types
+    mkOption
+    mkIf
+    mkMerge
+    mkEnableOption
+    ;
+  cfg = config.services.casper-node;
+
+  mapDotsToUnderscore = lib.stringAsChars (c: if c == "." then "_" else c);
+  versionsAndHashes = {
+    "1.5.6" = "sha256-2N2vPKHLKV32RzzZPV004hWH1/lbeZUf3WofTVm+ZZI=";
+  };
+  defaultConfigsSrc = pkgs.fetchFromGitHub {
+    owner = "casper-network";
+    repo = "casper-protocol-release";
+    rev = "refs/tags/casper-${cfg.package.version}";
+    hash = versionsAndHashes.${cfg.package.version};
+  };
+in
+{
+  options.services.casper-node = {
+
+    enable = mkEnableOption ("casper-node");
+
+    package = mkOption {
+      type = types.package;
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 35000;
+      example = 35000;
+      description = ''
+        Port to listen on.
+      '';
+    };
+
+    publicAddress = mkOption {
+      type = types.str;
+      example = "https://casper.network:0";
+      description = ''
+        The public address other peer nodes should connect to.
+      '';
+    };
+
+    logLevel = mkOption {
+      type = types.str;
+      default = "info";
+      description = ''
+        The log-level that should be used.
+      '';
+    };
+
+    validatorSecretKeyPath = mkOption {
+      type = types.path;
+      description = ''
+        The absolute path to the validator's secret key file used to sign consensus messages.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    systemd.services.casper-node =
+      {
+        description = "casper-node";
+        documentation = [ "https://docs.casper.network/operators/setup/" ];
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network-online.target" ];
+        requires = [ "network-online.target" ];
+        environment = {
+          RUST_LOG = cfg.logLevel;
+        };
+        serviceConfig = mkMerge [
+          {
+            ExecStart = "${lib.getExe cfg.package} standard /etc/casper/${mapDotsToUnderscore cfg.package.version}/config.toml";
+            Restart = "always";
+            User = "casper-node";
+            Group = "casper-node";
+            StateDirectory = "casper"; # creates /var/lib/casper
+          }
+        ];
+      };
+
+    # Explicit user and group definitions are required instead of using DynamicUser,
+    # in order to work seemlessly with tools like agenix.
+    # The agenix service runs and changes ownership of a secret before a service
+    # with `DynamicUser=true` would create the user.
+    users.users.casper-node = {
+      name = "casper-node";
+      group = "casper-node";
+      isSystemUser = true;
+    };
+
+    users.groups.casper-node = { };
+
+    environment.etc."casper/${mapDotsToUnderscore cfg.package.version}/chainspec.toml".source = "${defaultConfigsSrc}/config/chainspec.toml";
+    environment.etc."casper/${mapDotsToUnderscore cfg.package.version}/config.toml" =
+      let
+        defaultConfig = builtins.fromTOML (builtins.readFile "${defaultConfigsSrc}/config/config-example.toml");
+
+        config = lib.recursiveUpdate defaultConfig {
+          network = {
+            bind_address = "0.0.0.0:${builtins.toString cfg.port}";
+            public_address = "${cfg.publicAddress}";
+          };
+          consensus.secret_key_path = cfg.validatorSecretKeyPath;
+        };
+
+        format = pkgs.formats.toml { };
+        configTomlFile = format.generate "config.toml" config;
+      in
+      {
+        source = configTomlFile;
+      };
+  };
+}

Diff for: nixos/modules/casper-node.nix

@@ -0,0 +1,14 @@
+# Do not copy this! It is insecure. This is only okay because we are testing.
+{
+  system.activationScripts.agenixInstall.deps = [ "installSSHHostKeys" ];
+
+  system.activationScripts.installSSHHostKeys.text = ''
+    mkdir -p /etc/ssh
+    (umask u=rw,g=r,o=r; cp ${./test-ssh-host-keys/nixos-test.pub} /etc/ssh/ssh_host_ed25519_key.pub)
+    (
+      umask u=rw,g=,o=
+      cp ${./test-ssh-host-keys/nixos-test} /etc/ssh/ssh_host_ed25519_key
+      touch /etc/ssh/ssh_host_rsa_key
+    )
+  '';
+}

Diff for: nixos/tests/casper-node/install-test-ssh-host-keys.nix

@@ -0,0 +1,43 @@
+{ nixosTest
+, casperNodeModule
+, agenixModule
+}:
+let
+  hostName = "casper-node";
+  port = 35001;
+in
+nixosTest {
+  name = "casper-node smoke test";
+
+  nodes = {
+    server = { config, pkgs, lib, ... }: {
+      imports = [
+        casperNodeModule
+        agenixModule
+        ./install-test-ssh-host-keys.nix
+      ];
+
+      age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      age.secrets.validator-secret-key = {
+        file = ../../../secrets/validator-secret-key.age;
+        mode = "500";
+        owner = config.systemd.services.casper-node.serviceConfig.User;
+        group = config.systemd.services.casper-node.serviceConfig.Group;
+      };
+
+      networking.hostName = hostName;
+      services.casper-node = {
+        enable = true;
+        inherit port;
+        publicAddress = "10.0.0.1:0"; # public address assigned by nixos test driver
+        validatorSecretKeyPath = config.age.secrets.validator-secret-key.path;
+      };
+    };
+  };
+
+  testScript = ''
+    start_all()
+    casper_node.wait_for_unit("casper-node.service")
+    casper_node.wait_for_open_port(${builtins.toString port})
+  '';
+}

Diff for: nixos/tests/casper-node/smoke-test.nix

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACARPu+0DXJW3AGk6zwXLe9ywm0sRKe9hwk1leL15iPZeAAAAJglz2R+Jc9k
+fgAAAAtzc2gtZWQyNTUxOQAAACARPu+0DXJW3AGk6zwXLe9ywm0sRKe9hwk1leL15iPZeA
+AAAECTw1InqBh5qlk95TALDdmQ7nTa+3ZNAzzQmXbawVADrxE+77QNclbcAaTrPBct73LC
+bSxEp72HCTWV4vXmI9l4AAAAEGpvaG5AZXhhbXBsZS5jb20BAgMEBQ==
+-----END OPENSSH PRIVATE KEY-----

Diff for: nixos/tests/casper-node/test-ssh-host-keys/nixos-test

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBE+77QNclbcAaTrPBct73LCbSxEp72HCTWV4vXmI9l4