-
Notifications
You must be signed in to change notification settings - Fork 157
/
docker.nix
159 lines (146 loc) · 5.63 KB
/
docker.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
# ###########################################################################
# Docker image builder
#
# To build and load into the Docker engine:
#
# nix build .#dockerImage
# docker load -i ./result
#
# To launch with pre-loaded configuration, using the NETWORK env.
#
# docker run \
# -v $PATH_TO/node-ipc:/node-ipc \
# -v $PATH_TO/pgpass:/configuration/pgpass \
# -v $PWD/data:/var/lib/cdbsync \
# -e NETWORK=mainnet|testnet \
#
# Provide an (almost*) complete command otherwise:
#
# docker run \
# -v $PWD/config/mainnet-config:/configuration/configuration.yaml
# -v $PWD/node-ipc:/node-ipc \
# -v $PWD/config/pgpass:/pgpass \
# -v $PWD/data:/data \
# -e PGPASSFILE=/pgpass
# inputoutput/cardano-db-sync run \
# --config /configuration/configuration.yaml \
# --socket-path /node-ipc/node.socket \
# --state-dir /data
#
# * --schema-dir is set within the script
#
# To download and restore a snapshot include -e RESTORE_SNAPSHOT=https://update-cardano-mainnet.iohk.io/cardano-db-sync/db-sync-snapshot-schema-10-block-6014140-x86_64.tgz
# See the latest releases for a recent snapshot https://github.com/input-output-hk/cardano-db-sync/releases
# See the docker-compose.yml for demonstration of using Docker secrets instead of mounting a pgpass
#
#
############################################################################
{ cardanoLib, dockerTools
# The main contents of the image.
, cardano-cli, cardano-db-sync, scripts
# Get the current commit
, gitrev
# Other things to include in the image.
, bashInteractive, cacert, coreutils, curl, findutils, getconf, glibcLocales
, gnutar, gzip, jq, iana-etc, iproute, iputils, socat, utillinux, writeScript
, writeScriptBin, runCommand, runtimeShell, lib, libidn, libpqxx, postgresql
, dbSyncRepoName ? "inputoutput/cardano-db-sync" }:
let
env-shim = runCommand "env-shim" { } ''
mkdir -p $out/usr/bin
ln -s ${coreutils}/bin/env $out/usr/bin/env
'';
# Layer of tools which aren't going to change much between versions.
baseImage = dockerTools.buildImage {
name = "base-env";
config.Env = [ "NIX_SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt" ];
contents = [
bashInteractive # Provide the BASH shell
cacert # X.509 certificates of public CA's
coreutils # Basic utilities expected in GNU OS's
curl # CLI tool for transferring files via URLs
env-shim # Make /usr/bin/env available
findutils # GNU find
getconf # get num cpus
gnutar # GNU tar
glibcLocales # Locale information for the GNU C Library
gzip # Gnuzip
jq # JSON processor
iana-etc # IANA protocol and port number assignments
iproute # Utilities for controlling TCP/IP networking
iputils # Useful utilities for Linux networking
libidn # Library for internationalized domain names
libpqxx # A C++ library to access PostgreSQL databases
postgresql # A powerful, open source object-relational database system
socat # Utility for bidirectional data transfer
utillinux # System utilities for Linux
cardano-cli
];
runAsRoot = ''
#!${runtimeShell}
${dockerTools.shadowSetup}
mkdir -p /root
'';
};
# The applications, without configuration, for which the target container is being built
dockerWithoutConfig = dockerTools.buildImage {
name = "docker-without-config";
fromImage = baseImage;
contents = [ cardano-db-sync ];
};
dbSyncDockerImage = let
clusterStatements = lib.concatStringsSep "\n" (lib.mapAttrsToList
(env: script:
let dbSyncScript = script.db-sync;
in ''
elif [[ "$NETWORK" == "${env}" ]]; then
echo "Connecting to network: ${env}"
exec ${dbSyncScript}/bin/${dbSyncScript.name}
echo "Cleaning up"
'') scripts);
genPgPass = writeScript "gen-pgpass" ''
#!${runtimeShell}
SECRET_DIR=$1
echo $SECRET_DIR
echo "Generating PGPASS file"
POSTGRES_DB=''${POSTGRES_DB:-$(< ''${SECRET_DIR}/postgres_db)}
POSTGRES_USER=''${POSTGRES_USER:-$(< ''${SECRET_DIR}/postgres_user)}
POSTGRES_PASSWORD=''${POSTGRES_PASSWORD:-$(< ''${SECRET_DIR}/postgres_password)}
echo "''${POSTGRES_HOST}:''${POSTGRES_PORT}:''${POSTGRES_DB}:''${POSTGRES_USER}:''${POSTGRES_PASSWORD}" > /configuration/pgpass
chmod 0600 /configuration/pgpass
'';
entry-point = writeScriptBin "entry-point" ''
#!${runtimeShell}
mkdir -p /configuration
if [ ! -f /configuration/pgpass ]
then
${genPgPass} /run/secrets
fi
export PGPASSFILE=/configuration/pgpass
# set up /tmp (override with TMPDIR variable)
mkdir -p -m 1777 /tmp
if [[ -z "$NETWORK" ]]; then
echo "Connecting to network specified in configuration.yaml"
DBSYNC=${cardano-db-sync}/bin/cardano-db-sync
set -euo pipefail
${scripts.mainnet.db-sync.passthru.service.restoreSnapshotScript}
if [[ "''${DISABLE_LEDGER:-N}" == "Y" ]]; then
LEDGER_OPTS="--disable-ledger"
else
LEDGER_OPTS="--state-dir ${scripts.mainnet.db-sync.passthru.service.stateDir}"
fi
exec $DBSYNC --schema-dir ${../schema} ''${LEDGER_OPTS} $@
${clusterStatements}
else
echo "Managed configuration for network "$NETWORK" does not exist"
fi
'';
in dockerTools.buildImage {
name = dbSyncRepoName;
fromImage = dockerWithoutConfig;
tag = gitrev;
created = "now"; # Set creation date to build time. Breaks reproducibility
contents = [ entry-point ];
config = { EntryPoint = [ "${entry-point}/bin/entry-point" ]; };
};
in dbSyncDockerImage