-
Notifications
You must be signed in to change notification settings - Fork 1
/
db-sync.nix
104 lines (102 loc) · 3.59 KB
/
db-sync.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
{
config,
lib,
...
}: let
cfg = config.cardano.db-sync;
dbsync-cfg = config.services.cardano-db-sync;
inherit (lib) mkIf mkMerge mkEnableOption;
in {
options.cardano.db-sync = {
enable =
mkEnableOption ''
Cardano DB Sync provides a way to query local cardano node.
Cardano DB sync connects to a cardano node and saves blocks to a database.
You need to either provide the db connection arguments:
```nix
services.cardano-db-sync.database = {
# these are the defaults:
name = "cardano-db-sync";
user = "cardano-db-sync";
port = 5432;
socketdir = "/run/postgresql";
};
```
or enable the default postgresql service with `services.cardano-db-sync.postgres.enable` and possibly overwrite the `services.postgresql` options for your need.
''
// {default = config.cardano.enable or false;};
postgres.enable = mkEnableOption "Run postgres and connect dbsync to it." // {default = true;};
};
config = mkIf cfg.enable (mkMerge [
{
services.cardano-db-sync = {
enable = true;
environment = config.services.cardano-node.environments.${config.cardano.network};
inherit (config.cardano.node) socketPath;
postgres = {
user = "cardano-db-sync";
# use first socket from postgresql settings or default to /run/postgresql
socketdir = builtins.head ((config.services.postgresql.settings.unix_socket_directories or []) ++ ["/run/postgresql"]);
port = config.services.postgresql.settings.port or 5432;
database = "cardano-db-sync";
};
stateDir = "/var/lib/cardano-db-sync";
};
systemd.services.cardano-db-sync = {
serviceConfig = {
User = "cardano-db-sync";
# Security
UMask = "0077";
CapabilityBoundingSet = "";
ProtectClock = true;
ProtectKernelLogs = true;
ProtectDevices = true;
ProtectKernelModules = true;
SystemCallArchitectures = "native";
MemoryDenyWriteExecute = true;
RestrictNamespaces = true;
ProtectHostname = true;
ProtectKernelTunables = true;
RestrictRealtime = true;
SystemCallFilter = ["@system-service" "~@privileged"];
PrivateDevices = true;
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
ProtectHome = true;
DevicePolicy = "closed";
DeviceAllow = "";
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = true;
ProtectControlGroups = true;
PrivateUsers = true;
LockPersonality = true;
};
};
}
(mkIf (config.cardano.node.enable or false) {
systemd.services.cardano-db-sync = {
after = ["cardano-node-socket.service"];
requires = ["cardano-node-socket.service"];
};
})
(mkIf cfg.postgres.enable {
services.postgresql = {
enable = true;
# see warnings: this should be same as user name
ensureDatabases = [dbsync-cfg.postgres.database];
ensureUsers = [
{
name = "${dbsync-cfg.postgres.database}";
ensureDBOwnership = true;
}
];
};
assertions = [
{
assertion = cfg.postgres.enable && dbsync-cfg.postgres.database == dbsync-cfg.postgres.user;
message = "`cardano-db-sync.postgres.database` and `user` must be equal for `services.postgresql.ensureUsers.*.ensureDBOwnership` to work.";
}
];
})
]);
}