# NixOps configuration for the hosts running a Cardano node

{ config, pkgs, lib, ... }:

let

  sources = import ../nix/sources.nix;
  cardanoNodeProject = import (sources.cardano-node + "/nix") {
    gitrev = sources.cardano-node.rev;
  };
  iohkNix = import (sources.iohk-nix) { };

in {

  imports =
    [ ../secrets/cardano/producers.nix "${sources.cardano-node}/nix/nixos" ];

  environment.systemPackages = [ cardanoNodeProject.cardano-cli ];

  services = {
    cardano-node = {
      enable = true;
      environment = "mainnet";
      hostAddr = "0.0.0.0";
      nodeConfig = iohkNix.cardanoLib.environments.mainnet.nodeConfig // {
        hasPrometheus = [ "127.0.0.1" 12798 ];
        setupScribes = [{
          scKind = "JournalSK";
          scName = "cardano";
          scFormat = "ScText";
        }];
        defaultScribes = [[ "JournalSK" "cardano" ]];
      };
      kesKey = "/run/keys/cardano-kes";
      vrfKey = "/run/keys/cardano-vrf";
      operationalCertificate = "/run/keys/cardano-opcert";
    };
  };

  networking = {
    firewall = {
      allowedTCPPorts = [
        3001 # cardano-node
      ];
    };
  };

  users.groups.keys.members =
    [ "cardano-node" ]; # Required due to NixOps issue #1204

}