input-output-hk
diff --git a/‎.envrc‎
Lines changed: 5 additions & 3 deletions b/‎.envrc‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎flake.lock‎
Lines changed: 10 additions & 10 deletions b/‎flake.lock‎
Lines changed: 10 additions & 10 deletions
diff --git a/‎flake.nix‎
Lines changed: 1 addition & 2 deletions b/‎flake.nix‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎flake/nixosModules/profile-basic.nix‎
Lines changed: 54 additions & 47 deletions b/‎flake/nixosModules/profile-basic.nix‎
Lines changed: 54 additions & 47 deletions
diff --git a/‎flake/nixosModules/profile-cardano-node-topology.nix‎
Lines changed: 1 addition & 0 deletions b/‎flake/nixosModules/profile-cardano-node-topology.nix‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎flakeModules/jobs.nix‎
Lines changed: 29 additions & 12 deletions b/‎flakeModules/jobs.nix‎
Lines changed: 29 additions & 12 deletions
@@ -1,28 +1,30 @@
+# shellcheck disable=SC2148
 if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then
   source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM="
 fi
 
 IGREEN='\e[0;92m'
 IRED='\e[0;91m'
 NC='\e[0m'
-if [ $(nix eval --impure --expr 'let f = builtins.getFlake "git+file://${toString ./.}"; in f.lib.versionAtLeast builtins.nixVersion "2.17.0"') != "true" ]; then
+if [ "$(nix eval --impure --expr "let f = builtins.getFlake \"git+file://\${toString ./.}\"; in f.lib.versionAtLeast builtins.nixVersion \"2.17.0\"")" != "true" ]; then
   echo -e "The nix version must be at least ${IGREEN}2.17.0${NC} for fetchClosure of pure packages."
   echo -e "Your version is ${IRED}$(nix --version)${NC}"
   exit
 fi
 
-if [ $(nix eval --expr 'builtins ? fetchClosure') != "true" ]; then
+if [ "$(nix eval --expr 'builtins ? fetchClosure')" != "true" ]; then
   echo -e "Experimental nix feature \"${IGREEN}fetch-closure${NC}\" ${IRED}must be enabled${NC} for fetchClosure of pure packages."
   echo "You may need to add the following to your nix config:"
   echo
   echo "nix.settings.extraOptions = \"experimental-features = fetch-closure\";"
   exit
 fi
 
+# shellcheck disable=SC1091
 [ -f .envrc.local ] && source .envrc.local
 
 if [ -n "${DEVSHELL_TARGET:-}" ]; then
-  use flake .#${DEVSHELL_TARGET}
+  use flake ".#$DEVSHELL_TARGET"
 else
   use flake
 fi
@@ -106,8 +106,7 @@
     };
 
     cardano-node-service-ng = {
-      # Until node >= 10.5.0 is tagged, this commit allows the service to work on nixpkgs >= 25.05
-      url = "github:IntersectMBO/cardano-node/0983ac29304aadac74a5604eeefa76cfbcc91611";
+      url = "github:IntersectMBO/cardano-node/10.5.0";
       flake = false;
     };
 
 
@@ -30,11 +30,7 @@
 
         networking = {
           hostName = name;
-          firewall = {
-            enable = true;
-            allowedTCPPorts = [22];
-            allowedUDPPorts = [];
-          };
+          firewall.enable = true;
         };
 
         time.timeZone = "UTC";
@@ -53,48 +49,59 @@
           doc.enable = false;
         };
 
-        environment.systemPackages = with pkgs; [
-          awscli2
-          age
-          bat
-          bind
-          cloud-utils
-          di
-          dnsutils
-          fd
-          fx
-          file
-          git
-          glances
-          helix
-          htop
-          icdiff
-          ijq
-          iptables
-          self'.packages.isd
-          jiq
-          jq
-          lsof
-          nano
-          # For nix >= 2.24 build compatibility
-          inputs.nixpkgs-unstable.legacyPackages.${system}.neovim
-          ncdu
-          # Add a localFlake pin to avoid downstream repo nixpkgs pins <= 24.11 causing missing features error
-          inputs.nixpkgs.legacyPackages.${system}.nushell
-          nvme-cli
-          parted
-          pciutils
-          procps
-          ripgrep
-          rsync
-          smem
-          ssh-to-age
-          sops
-          sysstat
-          tcpdump
-          tree
-          wget
-        ];
+        environment = {
+          shellInit = ''
+            # This can be used to simplify ssh sessions, rsync, ex:
+            #   ssh -o "$(ssm-proxy-cmd "$REGION")" "$INSTANCE_ID"
+            ssm-proxy-cmd() {
+              echo "ProxyCommand=sh -c 'aws --region $1 ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p'"
+            }
+          '';
+
+          systemPackages = with pkgs; [
+            awscli2
+            age
+            bat
+            bind
+            cloud-utils
+            di
+            dnsutils
+            fd
+            fx
+            file
+            git
+            glances
+            helix
+            htop
+            icdiff
+            ijq
+            iptables
+            self'.packages.isd
+            jiq
+            jq
+            lsof
+            nano
+            # For nix >= 2.24 build compatibility
+            inputs.nixpkgs-unstable.legacyPackages.${system}.neovim
+            ncdu
+            # Add a localFlake pin to avoid downstream repo nixpkgs pins <= 24.11 causing missing features error
+            inputs.nixpkgs.legacyPackages.${system}.nushell
+            nvme-cli
+            parted
+            pciutils
+            procps
+            ripgrep
+            rsync
+            ssm-session-manager-plugin
+            smem
+            ssh-to-age
+            sops
+            sysstat
+            tcpdump
+            tree
+            wget
+          ];
+        };
 
         programs = {
           tmux = {
 
@@ -97,6 +97,7 @@
           # These are also set from the role-block-producer nixos module
           extraNodeConfig = {
             PeerSharing = false;
+            TargetNumberOfKnownPeers = 100;
             TargetNumberOfRootPeers = 100;
           };
           publicProducers = mkForce (extraNodeListPublicProducers ++ extraPublicProducers);
 
@@ -94,6 +94,15 @@ in {
         # Some code paths may not use the era bundled cli
         # shellcheck disable=SC2034
         CARDANO_CLI=("''${CARDANO_CLI_NO_ERA[@]}" "''${ERA_CMD:+$ERA_CMD}")
+
+        # Use a cardano-cli breaking change marker to handle version specific breaking changes
+        if [ "$(printf "%s\n10.11.0.0" "$("''${CARDANO_CLI_NO_ERA[@]}" --version)" | sort -V | head -n 1)" = "10.11.0.0" ]; then
+          # shellcheck disable=SC2034
+          CARDANO_CLI_BREAKING="true"
+        else
+          # shellcheck disable=SC2034
+          CARDANO_CLI_BREAKING="false"
+        fi
       '';
 
       updateProposalTemplate = ''
@@ -166,11 +175,19 @@ in {
         function create_proposal {
           TARGET_EPOCH="$1"
 
-          "''${CARDANO_CLI_NO_ERA[@]}" legacy governance create-update-proposal \
-            --epoch "$TARGET_EPOCH" \
-            "''${PROPOSAL_ARGS[@]}" \
-            "''${PROPOSAL_KEY_ARGS[@]}" \
-            --out-file update.proposal
+          if [ "$CARDANO_CLI_BREAKING" = "true" ]; then
+            "''${CARDANO_CLI_NO_ERA[@]}" compatible "''${ERA_CMD:-alonzo}" governance action create-protocol-parameters-update \
+              --epoch "$TARGET_EPOCH" \
+              "''${PROPOSAL_ARGS[@]}" \
+              "''${PROPOSAL_KEY_ARGS[@]}" \
+              --out-file update.proposal
+          else
+            "''${CARDANO_CLI_NO_ERA[@]}" legacy governance create-update-proposal \
+              --epoch "$TARGET_EPOCH" \
+              "''${PROPOSAL_ARGS[@]}" \
+              "''${PROPOSAL_KEY_ARGS[@]}" \
+              --out-file update.proposal
+          fi
 
           "''${CARDANO_CLI_NO_ERA[@]}" compatible "''${ERA_CMD:-alonzo}" transaction signed-transaction \
             --tx-in "$TXIN" \
@@ -2058,8 +2075,8 @@ in {
             ${selectCardanoCli}
 
             "''${CARDANO_CLI_NO_ERA[@]}" latest governance committee create-hot-key-authorization-certificate \
-              --cold-verification-key-file "$CC_DIR"/cc-"$INDEX"-cold.vkey \
-              --hot-verification-key-file "$CC_DIR"/cc-"$INDEX"-hot.vkey \
+              --cold-verification-key-file "$(decrypt_check "$CC_DIR"/cc-"$INDEX"-cold.vkey)" \
+              --hot-verification-key-file "$(decrypt_check "$CC_DIR"/cc-"$INDEX"-hot.vkey)" \
               --out-file cc-"$INDEX"-reg.cert
 
             WITNESSES=2
@@ -2090,7 +2107,7 @@ in {
               --tx-body-file tx-cc-"$INDEX".txbody \
               --out-file tx-cc-"$INDEX".txsigned \
               --signing-key-file "$(decrypt_check "$PAYMENT_KEY".skey)" \
-              --signing-key-file "$CC_DIR"/cc-"$INDEX"-cold.skey
+              --signing-key-file "$(decrypt_check "$CC_DIR"/cc-"$INDEX"-cold.skey)"
 
             fd --type file . "$CC_DIR"/ --exec bash -c 'encrypt_check {}'
 
@@ -2121,12 +2138,12 @@ in {
             mkdir -p "$CC_DIR"
 
             "''${CARDANO_CLI_NO_ERA[@]}" latest governance committee key-gen-cold \
-              --verification-key-file "$CC_DIR"/cc-"$INDEX"-cold.vkey \
-              --signing-key-file "$CC_DIR"/cc-"$INDEX"-cold.skey
+              --verification-key-file "$(decrypt_check "$CC_DIR"/cc-"$INDEX"-cold.vkey)" \
+              --signing-key-file "$(decrypt_check "$CC_DIR"/cc-"$INDEX"-cold.skey)"
 
             "''${CARDANO_CLI_NO_ERA[@]}" latest governance committee key-gen-hot \
-              --verification-key-file "$CC_DIR"/cc-"$INDEX"-hot.vkey \
-              --signing-key-file "$CC_DIR"/cc-"$INDEX"-hot.skey
+              --verification-key-file "$(decrypt_check "$CC_DIR"/cc-"$INDEX"-hot.vkey)" \
+              --signing-key-file "$(decrypt-check "$CC_DIR"/cc-"$INDEX"-hot.skey)"
           '';
         };