add Kupo package, module, test

configurations/preview.nix

@@ -0,0 +1 @@
+../template/preview.nix

configurations/vm.nix

@@ -0,0 +1 @@
+../template/vm.nix

docs/getting-started/deploy.md

@@ -29,7 +29,7 @@ This [Nix Flake](https://zero-to-nix.com/concepts/flakes) is the entry point to
 - a NixOS configuration for the virtual machine, under `nixosConfigurations.server-vm`
 - an app to run the virtual machine as above, under `apps.x86_64-linux.server-vm`
 
-#### `configuration.nix`
+#### `preview.nix`
 
 This is the [NixOS configuration](https://zero-to-nix.com/concepts/nixos#configuration) to run cardano services for the machine.
 
@@ -39,7 +39,7 @@ This NixOS configuration sets virtual machine options such as cores, memory and
 
 ### Customize
 
-To learn more, browse available [NixOS options in nixpkgs](https://search.nixos.org/options) and [NixOS options provided by cardano.nix](../../reference/module-options/cardano/) (see other modules in the menu on the left). You can ad these options to `configuration.nix` to configure the system.
+To learn more, browse available [NixOS options in nixpkgs](https://search.nixos.org/options) and [NixOS options provided by cardano.nix](../../reference/module-options/cardano/) (see other modules in the menu on the left). You can ad these options to `preview.nix` to configure the system.
 
 ### Deployment options
 

docs/getting-started/vm.md

@@ -8,6 +8,7 @@ A virtual machine will be started with the following services, and the following
 | ------------ | ---- |
 | cardano-node | 3001 |
 | ogmios       | 1337 |
+| kupo         | 1442 |
 
 You can log in with user `root`. The password is empty. In the virtual machine, `cardano-cli` is available to query the node.
 

flake.nix

@@ -9,6 +9,7 @@
       url = "github:intersectmbo/cardano-node?ref=8.7.3";
     };
     cardano-configurations = {
+      # This version is compatible with cardano-node above and likely needs to be updated together.
       url = "github:input-output-hk/cardano-configurations/21249e0d5c68b4e8f3661b250aa8272a8785d678";
       flake = false;
     };
@@ -49,9 +50,11 @@
     };
   };
   outputs = inputs @ {flake-parts, ...}:
-    flake-parts.lib.mkFlake {
+    flake-parts.lib.mkFlake
+    {
       inherit inputs;
-    } {
+    }
+    {
       debug = true;
       imports = [
         ./checks

modules/cardano.nix

@@ -10,7 +10,7 @@ in
   #  assert cfg.networkNumbers ? cfg.network;
   {
     options.cardano = {
-      enable = lib.mkEnableOption "all Cardano services and HTTP proxy.";
+      enable = lib.mkEnableOption "all Cardano services and HTTP proxy";
       network = lib.mkOption {
         description = "Cardano network to operate on.";
         type = types.enum (lib.attrNames cfg.networkNumbers);

modules/default.nix

@@ -37,6 +37,15 @@
         config.flake.overlays.ogmios
       ];
     };
+    kupo = {
+      imports = [
+        ./services/kupo.nix
+        ./kupo.nix
+      ];
+      nixpkgs.overlays = [
+        config.flake.overlays.kupo
+      ];
+    };
     http = {
       imports = [
         ./services/http-proxy.nix

modules/http.nix

@@ -26,6 +26,10 @@ in {
           inherit (config.services.ogmios) port;
           inherit (config.services.ogmios.package) version;
         };
+        kupo = {
+          inherit (config.services.kupo) port;
+          inherit (config.services.kupo.package) version;
+        };
       };
     };
   };

modules/kupo.nix

@@ -0,0 +1,40 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.cardano.kupo;
+in {
+  options.cardano.kupo = {
+    enable =
+      lib.mkEnableOption "Kupo chain-indexer"
+      // {default = config.cardano.enable or false;};
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.kupo = {
+      enable = true;
+      nodeSocketPath =
+        lib.mkIf (config.cardano.node.enable or false)
+        config.cardano.node.socketPath;
+      nodeConfigPath =
+        lib.mkIf (config.cardano.node.enable or false)
+        config.cardano.node.configPath;
+      ogmiosHost =
+        lib.mkIf (config.cardano.ogmios.enable or false)
+        "127.0.0.1";
+      ogmiosPort =
+        lib.mkIf (config.cardano.ogmios.enable or false)
+        config.services.ogmios.port;
+    };
+
+    systemd.services.kupo = {
+      after =
+        lib.optional (config.cardano.node.enable or false) "cardano-node-socket.service"
+        ++ lib.optional (config.cardano.ogmios.enable or false) "ogmios.service";
+      requires =
+        lib.optional (config.cardano.node.enable or false) "cardano-node-socket.service"
+        ++ lib.optional (config.cardano.ogmios.enable or false) "ogmios.service";
+    };
+  };
+}

modules/ogmios.nix

@@ -14,6 +14,9 @@ in {
   config = lib.mkIf cfg.enable {
     services.ogmios = {
       enable = true;
+      nodeSocketPath =
+        lib.mkIf (config.cardano.node.enable or false)
+        config.cardano.node.socketPath or null;
       nodeConfigPath =
         lib.mkIf (config.cardano.node.enable or false)
         config.cardano.node.configPath or null;

modules/services/kupo.nix

@@ -0,0 +1,190 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.services.kupo;
+  inherit (lib) escapeShellArgs flatten types;
+in
+  with lib; {
+    options.services.kupo = {
+      enable = mkEnableOption "Kupo Cardano chain-indexer";
+
+      package = mkOption {
+        description = "Kupo package.";
+        type = types.package;
+        default = pkgs.kupo;
+      };
+
+      user = mkOption {
+        description = "User to run kupo service as.";
+        type = types.nonEmptyStr;
+        default = "kupo";
+      };
+
+      group = mkOption {
+        description = "Group to run kupo service as.";
+        type = types.nonEmptyStr;
+        default = "kupo";
+      };
+
+      workDir = mkOption {
+        description = "Directory to start the kupo and store its data. Must start with `/var/lib/`.";
+        type = types.path;
+        default = "/var/lib/kupo";
+      };
+
+      host = mkOption {
+        description = "Host address or name to listen on.";
+        type = types.nonEmptyStr;
+        default = "127.0.0.1";
+      };
+
+      port = mkOption {
+        description = "TCP port to listen on.";
+        type = types.port;
+        default = 1442;
+      };
+
+      nodeSocketPath = mkOption {
+        description = "Path to cardano-node IPC socket. Ignored if `ogmiosHost` is not `null`.";
+        type = types.nullOr types.path;
+        default = "/run/cardano-node/node.socket";
+      };
+
+      nodeConfigPath = mkOption {
+        description = "Path to cardano-node config.json file. Ignored if `ogmiosHost` is not `null`";
+        type = types.path;
+        default = "/etc/cardano-node/config.json";
+      };
+
+      ogmiosHost = mkOption {
+        description = "Ogmios host name. Optional, will connect to cardano-node if `null`.";
+        type = types.nullOr types.nonEmptyStr;
+        default = null;
+      };
+
+      ogmiosPort = mkOption {
+        description = "Ogmios port. Ignored if `ogmiosHost` is `null`.";
+        type = types.port;
+        default = 1337;
+      };
+
+      hydraHost = mkOption {
+        description = "Hydra host name. Optional.";
+        type = types.nullOr types.nonEmptyStr;
+        default = null;
+      };
+
+      hydraPort = mkOption {
+        description = "Hydra port. Ignored if `hydraHost` is `null`.";
+        type = types.port;
+      };
+
+      matches = mkOption {
+        description = "The list of addresses to watch.";
+        type = types.listOf types.nonEmptyStr;
+        default = ["*"];
+      };
+
+      since = mkOption {
+        description = "Watching depth.";
+        type = types.nonEmptyStr;
+        default = "origin";
+      };
+
+      pruneUtxo = mkOption {
+        description = "Automatically remove inputs that are spent on-chain.";
+        type = types.bool;
+        default = false;
+      };
+
+      extraArgs = mkOption {
+        description = "Extra arguments to kupo command.";
+        type = types.listOf types.str;
+        default = [];
+      };
+    };
+
+    config = mkIf cfg.enable {
+      assertions = [
+        {
+          assertion = lib.hasPrefix "/var/lib/" cfg.workDir;
+          message = "`workDir` must start with `/var/lib/`";
+        }
+      ];
+
+      users.users.kupo = mkIf (cfg.user == "kupo") {
+        isSystemUser = true;
+        inherit (cfg) group;
+        extraGroups = ["cardano-node"];
+      };
+      users.groups.kupo = mkIf (cfg.group == "kupo") {};
+
+      systemd.services.kupo = {
+        enable = true;
+        after = ["cardano-node.service" "ogmios.service"];
+        wantedBy = ["multi-user.target"];
+
+        script = escapeShellArgs (flatten [
+          ["${cfg.package}/bin/kupo"]
+          ["--workdir" cfg.workDir]
+          ["--host" cfg.host]
+          ["--port" cfg.port]
+          (optional (cfg.ogmiosHost == null) [
+            ["--node-socket" cfg.nodeSocketPath]
+            ["--node-config" cfg.nodeConfigPath]
+          ])
+          (optional (cfg.ogmiosHost != null) [
+            ["--ogmios-host" cfg.ogmiosHost]
+            ["--ogmios-port" cfg.ogmiosPort]
+          ])
+          (optional (cfg.hydraHost != null) [
+            ["--hydra-host" cfg.hydraHost]
+            ["--hydra-port" cfg.hydraPort]
+          ])
+          ["--since" cfg.since]
+          (map (m: ["--match" m]) cfg.matches)
+          (optional cfg.pruneUtxo "--prune-utxo")
+          cfg.extraArgs
+        ]);
+
+        serviceConfig = {
+          User = cfg.user;
+          Group = cfg.group;
+          WorkingDirectory = cfg.workDir;
+          StateDirectory = lib.removePrefix "/var/lib/" cfg.workDir;
+          # Security
+          UMask = "0077";
+          AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
+          CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
+          DevicePolicy = "closed";
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateMounts = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = ["~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"];
+        };
+      };
+    };
+  }

packages/default.nix

@@ -6,11 +6,13 @@ in {
   imports = [
     ./cardano.nix
     ./ogmios.nix
+    ./kupo.nix
   ];
   flake.overlays = {
     cardano-cli = mkOverlay "cardano-cli";
     cardano-node = mkOverlay "cardano-node";
     cardano-configurations = mkOverlay "cardano-configurations";
     ogmios = mkOverlay "ogmios";
+    kupo = mkOverlay "kupo";
   };
 }