# NixOps configuration for the hosts running a Cardano node
{
  config,
  pkgs,
  lib,
  ...
}: let
  sources = import ../nix/sources.nix;
  cardanoNodeProject = import (sources.cardano-node + "/nix") {
    gitrev = sources.cardano-node.rev;
  };
  iohkNix = import (sources.iohk-nix) {};
in {
  imports = [../secrets/cardano/producers.nix "${sources.cardano-node}/nix/nixos"];

  environment.systemPackages = [cardanoNodeProject.cardano-cli];

  services = {
    cardano-node = {
      enable = true;
      environment = "mainnet";
      hostAddr = "0.0.0.0";
      nodeConfig =
        iohkNix.cardanoLib.environments.mainnet.nodeConfig
        // {
          hasPrometheus = ["127.0.0.1" 12798];
          setupScribes = [
            {
              scKind = "JournalSK";
              scName = "cardano";
              scFormat = "ScText";
            }
          ];
          defaultScribes = [["JournalSK" "cardano"]];
        };
      kesKey = "/run/keys/cardano-kes";
      vrfKey = "/run/keys/cardano-vrf";
      operationalCertificate = "/run/keys/cardano-opcert";
    };
  };

  systemd = {
    services = {
      cardano-node = {
        # Ensure cardano-node starts after nixops keys are loaded
        after = [
          "cardano-kes-key.service"
          "cardano-opcert-key.service"
          "cardano-vrf-key.service"
        ];
        wants = [
          "cardano-kes-key.service"
          "cardano-opcert-key.service"
          "cardano-vrf-key.service"
        ];
      };
    };
  };

  networking = {
    firewall = {
      allowedTCPPorts = [
        3001 # cardano-node
      ];
    };
  };

  users.groups.keys.members = ["cardano-node"]; # Required due to NixOps issue #1204
}