# NixOps configuration for the hosts running a Cardano node { config, inputs, pkgs, lib, ... }: let cardanoNodeProject = import (inputs.cardano-node + "/nix") { gitrev = inputs.cardano-node.rev; }; in { age.secrets = { cardano-kes = { file = ../secrets/cardano/cardano-kes.age; path = "/run/keys/cardano-kes"; owner = "cardano-node"; group = "cardano-node"; mode = "0600"; }; cardano-opcert = { file = ../secrets/cardano/cardano-opcert.age; path = "/run/keys/cardano-opcert"; owner = "cardano-node"; group = "cardano-node"; mode = "0600"; }; cardano-vrf = { file = ../secrets/cardano/cardano-vrf.age; path = "/run/keys/cardano-vrf"; owner = "cardano-node"; group = "cardano-node"; mode = "0600"; }; }; #imports = [../secrets/cardano/producers.nix]; environment.systemPackages = [inputs.cardano-node.packages.${pkgs.system}.cardano-cli]; services = { cardano-node = { enable = true; environment = "mainnet"; hostAddr = "0.0.0.0"; nodeConfig = inputs.cardano-node.environments.x86_64-linux.mainnet // { Protocol = "Cardano"; hasPrometheus = ["127.0.0.1" 12798]; setupScribes = [ { scKind = "JournalSK"; scName = "cardano"; scFormat = "ScText"; } ]; defaultScribes = [["JournalSK" "cardano"]]; }; kesKey = "${config.age.secrets.cardano-kes.path}"; vrfKey = "${config.age.secrets.cardano-vrf.path}"; operationalCertificate = "${config.age.secrets.cardano-opcert.path}"; }; }; systemd = { services = { cardano-node = { # Ensure cardano-node starts after nixops keys are loaded after = [ "cardano-kes-key.service" "cardano-opcert-key.service" "cardano-vrf-key.service" ]; wants = [ "cardano-kes-key.service" "cardano-opcert-key.service" "cardano-vrf-key.service" ]; }; }; }; networking = { firewall = { allowedTCPPorts = [ 3001 # cardano-node ]; }; }; users.groups.keys.members = ["cardano-node"]; # Required due to NixOps issue #1204 }