feat(demeter-run-cli): init package

avnik · avnik · commit f7010afbf671 · 2025-09-17T17:04:31.000+03:00
Signed-off-by: Alexander V. Nikolaev &lt;avn@avnik.info&gt;
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -24,6 +24,10 @@
       url = "github:txpipe/oura/v1.9.4";
       inputs.crane.follows = "crane";
     };
+    demeter-run-cli = {
+      url = "github:demeter-run/cli";
+      flake = false;
+    };
     crane = {
       url = "github:ipetkov/crane";
     };
diff --git a/modules/default.nix b/modules/default.nix
@@ -73,6 +73,12 @@
         ./monitoring.nix
       ];
     };
+    demeter-run = {
+      imports = [
+        ./demeter-run.nix
+        ./services/demeter-run.nix
+      ];
+    };
     # the default module imports all modules
     default = {
       imports = [
diff --git a/modules/demeter-run.nix b/modules/demeter-run.nix
@@ -0,0 +1,54 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.cardano.demeter-run;
+  dmtr_cfg = config.services.demeter-run;
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    mkOption
+    types
+    ;
+in
+{
+  options.cardano.demeter-run = {
+    node = {
+      enable = mkEnableOption "Demeter run tunnel";
+      instance = mkOption {
+        type = types.str;
+      };
+
+      configFile = mkOption {
+        type = types.str;
+        description = ''
+          Config file for demeter setup (contain secrets, use agenix or sops)
+
+          This is config file generated by dmtrctl init ... command invocation,
+          contains random generated id, and token is obviously a secret obtained from demeter service during init.
+        '';
+      };
+    };
+
+    # FIXME: not implemented yet
+    kupo = { };
+
+    # FIXME: not implemented yet
+    ogmios = { };
+  };
+
+  config = mkIf cfg.node.enable {
+    services.demeter-run = {
+      enable = true;
+      inherit (cfg.node) instance;
+      inherit (cfg.node) configFile;
+    };
+
+    # Register as cardano-node socket provider
+    cardano.providers.node = {
+      socketPath = dmtr_cfg.socket;
+      accessGroup = dmtr_cfg.group;
+      requires = "demeter-run.service";
+      after = "demeter-run.service";
+    };
+  };
+}
diff --git a/modules/services/demeter-run.nix b/modules/services/demeter-run.nix
@@ -0,0 +1,99 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.demeter-run;
+in
+{
+  options.services.demeter-run = with lib; {
+    enable = mkEnableOption "Demeter run tunnel";
+
+    package = mkOption {
+      type = types.package;
+      description = "The demeter-run-cli package.";
+      default = pkgs.demeter-run-cli;
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = "demeter-run";
+      description = "User account under which demeter-run is run";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "demeter-run";
+      description = "Group account under which demeter-run is run";
+    };
+
+    socket = mkOption {
+      type = types.str;
+      default = "${cfg.socketDir}/node.socket";
+    };
+
+    socketDir = mkOption {
+      type = types.str;
+      default = "/run/demeter-run";
+    };
+
+    instance = mkOption {
+      type = types.str;
+    };
+
+    configFile = mkOption {
+      type = types.path;
+      description = ''
+        Config file for demeter setup (contain secrets, use agenix or sops)
+      '';
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.demeter-run-cli ];
+    users.users.${cfg.user} = {
+      inherit (cfg) group;
+      isSystemUser = true;
+    };
+
+    users.groups.${cfg.group} = { };
+    systemd.tmpfiles.rules = [
+      "d '${cfg.socketDir}' - ${cfg.user} ${cfg.group} - -"
+    ];
+
+    systemd.services.demeter-run = {
+      enable = true;
+      path = [ cfg.package ];
+      wants = [
+        "network-online.target"
+      ];
+
+      script = ''
+        rm -f ${cfg.socket}
+        ${cfg.package}/bin/dmtrctl ports tunnel --socket ${cfg.socket} ${cfg.instance}
+      '';
+
+      preStart = ''
+        ${pkgs.coreutils}/bin/install -m 0700 -g ${cfg.group} -o ${cfg.user} ${cfg.configFile} ${cfg.socketDir}/config.toml
+      '';
+
+      # Prevent secret leaking
+      postStop = ''
+        rm ${cfg.socketDir}/config.toml
+      '';
+
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Restart = "always";
+        RestartSec = 10;
+        Group = cfg.group;
+        User = cfg.user;
+        Environment = [
+          "DMTR_ROOT_DIR=${cfg.socketDir}"
+        ];
+        UMask = "006";
+      };
+    };
+  };
+}
diff --git a/packages/default.nix b/packages/default.nix
@@ -2,6 +2,7 @@
 {
   imports = [
     ./cardano.nix
+    ./demeter-run-cli.nix
     ./ogmios.nix
     ./kupo.nix
     ./oura.nix
@@ -11,6 +12,7 @@
       inherit ((config.perSystem final.system).packages)
         cardano-cli
         cardano-node
+        demeter-run-cli
         ogmios
         kupo
         oura
diff --git a/packages/demeter-run-cli.nix b/packages/demeter-run-cli.nix
@@ -0,0 +1,26 @@
+{ inputs, ... }:
+{
+  perSystem =
+    { pkgs, ... }:
+    {
+      packages =
+        let
+          craneLib = inputs.crane.mkLib pkgs;
+          commonArgs = {
+            pname = "demeter-run-cli";
+            version = "0-unstable-git-${inputs.demeter-run-cli.shortRev}";
+            strictDeps = true;
+            src = inputs.demeter-run-cli.outPath;
+          };
+          demeter-run-cli = craneLib.buildPackage (
+            commonArgs
+            // {
+              cargoArtifacts = craneLib.buildDepsOnly commonArgs;
+            }
+          );
+        in
+        {
+          inherit demeter-run-cli;
+        };
+    };
+}
