input-output-hk
diff --git a/‎flake.lock
Lines changed: 127 additions & 887 deletions b/‎flake.lock
Lines changed: 127 additions & 887 deletions
diff --git a/‎flake.nix
Lines changed: 57 additions & 20 deletions b/‎flake.nix
Lines changed: 57 additions & 20 deletions
diff --git a/‎flake/nixosModules/profile-aws-ec2-ephemeral.nix
Lines changed: 59 additions & 11 deletions b/‎flake/nixosModules/profile-aws-ec2-ephemeral.nix
Lines changed: 59 additions & 11 deletions
diff --git a/‎flake/nixosModules/profile-basic.nix
Lines changed: 6 additions & 1 deletion b/‎flake/nixosModules/profile-basic.nix
Lines changed: 6 additions & 1 deletion
diff --git a/‎flake/nixosModules/profile-cardano-metadata.nix
Lines changed: 6 additions & 0 deletions b/‎flake/nixosModules/profile-cardano-metadata.nix
Lines changed: 6 additions & 0 deletions
diff --git a/‎flake/nixosModules/profile-cardano-parts.nix
Lines changed: 35 additions & 1 deletion b/‎flake/nixosModules/profile-cardano-parts.nix
Lines changed: 35 additions & 1 deletion
diff --git a/‎flake/nixosModules/profile-cardano-smash.nix
Lines changed: 6 additions & 0 deletions b/‎flake/nixosModules/profile-cardano-smash.nix
Lines changed: 6 additions & 0 deletions
diff --git a/‎flake/nixosModules/profile-cardano-webserver.nix
Lines changed: 6 additions & 0 deletions b/‎flake/nixosModules/profile-cardano-webserver.nix
Lines changed: 6 additions & 0 deletions
diff --git a/‎flake/nixosModules/profile-grafana-alloy.nix
Lines changed: 2 additions & 2 deletions b/‎flake/nixosModules/profile-grafana-alloy.nix
Lines changed: 2 additions & 2 deletions
@@ -2,51 +2,91 @@
   description = "Cardano Parts: nix flake parts for cardano clusters";
 
   inputs = {
-    auth-keys-hub.url = "github:input-output-hk/auth-keys-hub";
-    auth-keys-hub.inputs.nixpkgs.follows = "nixpkgs";
-    colmena.inputs.nixpkgs.follows = "nixpkgs";
-    colmena.url = "github:zhaofengli/colmena";
+    auth-keys-hub = {
+      url = "github:input-output-hk/auth-keys-hub";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        flake-parts.follows = "flake-parts";
+        treefmt-nix.follows = "treefmt-nix";
+      };
+    };
+
+    colmena = {
+      url = "github:zhaofengli/colmena";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     flake-parts.url = "github:hercules-ci/flake-parts";
-    inputs-check.url = "github:input-output-hk/inputs-check";
+
+    inputs-check = {
+      url = "github:input-output-hk/inputs-check";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        flake-parts.follows = "flake-parts";
+      };
+    };
+
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
-    nix.url = "github:nixos/nix/2.25-maintenance";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+    nix.url = "github:nixos/nix/2.29-maintenance";
+
     opentofu-registry = {
       url = "github:opentofu/registry";
       flake = false;
     };
-    sops-nix.url = "github:Mic92/sops-nix";
-    terranix.url = "github:terranix/terranix";
-    treefmt-nix.url = "github:numtide/treefmt-nix";
-    treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
+
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    terranix = {
+      url = "github:terranix/terranix";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        flake-parts.follows = "flake-parts";
+      };
+    };
+
+    treefmt-nix = {
+      url = "github:numtide/treefmt-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     # Process compose related
     process-compose-flake.url = "github:Platonic-systems/process-compose-flake";
     services-flake.url = "github:juspay/services-flake";
 
     # Cardano related inputs
     capkgs.url = "github:input-output-hk/capkgs";
-    empty-flake.url = "github:input-output-hk/empty-flake";
-    haskell-nix.url = "github:input-output-hk/haskell.nix";
     iohk-nix.url = "github:input-output-hk/iohk-nix";
     iohk-nix-ng.url = "github:input-output-hk/iohk-nix";
 
-    # For tmp local testing pins
-    blockperf.url = "github:johnalotoski/blockperf/preview-network";
+    # Blockperf fork until PRs merged upstream
+    blockperf = {
+      url = "github:johnalotoski/blockperf/preview-network";
+      inputs = {
+        # Requires nixpkgs specific pinning for locked python versioning
+        # nixpkgs.follows = "nixpkgs";
+        flake-parts.follows = "flake-parts";
+      };
+    };
     # blockperf.url = "path:/home/jlotoski/work/johnalotoski/blockperf-wt/preview-network";
+
+    # For tmp local testing pins
     # cardano-faucet.url = "github:input-output-hk/cardano-faucet/jl/node-9.2";
     # cardano-faucet.url = "path:/home/jlotoski/work/iohk/cardano-faucet-wt/jl/node-9.2";
 
     # Cardano-db-sync schema input pins, which must match the
     # versioning of the release and pre-release (-ng) dbsync
     # definitions found in flakeModule/pkgs.nix.
     cardano-db-sync-schema = {
-      url = "github:IntersectMBO/cardano-db-sync/13.6.0.4";
+      url = "github:IntersectMBO/cardano-db-sync/13.6.0.5";
       flake = false;
     };
 
     cardano-db-sync-schema-ng = {
-      url = "github:IntersectMBO/cardano-db-sync/13.6.0.4";
+      url = "github:IntersectMBO/cardano-db-sync/13.6.0.5";
       flake = false;
     };
 
@@ -95,9 +135,6 @@
       url = "github:cardano-foundation/cardano-wallet/v2025-03-31";
       flake = false;
     };
-
-    # Reduce stackage.nix source download deps
-    haskell-nix.inputs.stackage.follows = "empty-flake";
   };
 
   outputs = inputs: let
 
@@ -60,7 +60,7 @@ flake: {
     ...
   }: let
     inherit (builtins) head;
-    inherit (lib) any getExe hasInfix hasPrefix mkForce mkIf mkOption splitString;
+    inherit (lib) any getExe hasInfix hasPrefix mkForce mkIf mkOption removePrefix splitString;
     inherit (lib.types) bool enum listOf str;
     inherit (config.aws.instance) instance_type;
 
@@ -76,6 +76,15 @@ flake: {
     key = ./profile-aws-ec2-ephemeral.nix;
 
     options.services.aws.ec2.ephemeral = {
+      enableMountOnCreation = mkOption {
+        type = bool;
+        default = true;
+        description = ''
+          Whether to ensure the ephemeral volume is mounted automatically after
+          it becomes available.
+        '';
+      };
+
       enablePostMountService = mkOption {
         type = bool;
         default = true;
@@ -86,18 +95,28 @@ flake: {
 
       fsOpts = mkOption {
         type = listOf str;
-        default = [
-          # An example file system performance tuning option for XFS
-          "logbsize=256k"
-        ];
+        default =
+          if cfg.fsType == "ext2"
+          then [
+            # An example file system performance tuning option for ext2
+            "noacl"
+            "noatime"
+            "nodiratime"
+          ]
+          else if cfg.fsType == "xfs"
+          then [
+            # An example file system performance tuning option for XFS
+            "logbsize=256k"
+          ]
+          else [];
         description = ''
           File system tuning options used during mounting.
         '';
       };
 
       fsType = mkOption {
-        type = enum ["xfs"];
-        default = "xfs";
+        type = enum ["ext2" "xfs"];
+        default = "ext2";
         description = ''
           The file system to use for ephemeral storage.
 
@@ -107,7 +126,7 @@ flake: {
           ephemeral block device(s) at which point auto-format and relabelling
           will occur.
 
-          NOTE: Changing to a file system other than xfs will require
+          NOTE: Changing to a file system other than ext2 or xfs will require
           extending the nixos module code to support the new filesystem(s).
         '';
       };
@@ -239,7 +258,7 @@ flake: {
             ExecStart = getExe (pkgs.writeShellApplication {
               name = cfg.serviceName;
 
-              runtimeInputs = with pkgs; [fd jq kmod mdadm util-linux xfsprogs];
+              runtimeInputs = with pkgs; [e2fsprogs fd jq kmod mdadm util-linux xfsprogs];
               text = ''
                 set -euo pipefail
 
@@ -291,7 +310,7 @@ flake: {
                 if [ "$NUM_BD" -eq "1" ]; then
                   if [ "$EMPTY" = "true" ]; then
                     set -x
-                    mkfs -t xfs -L "$LABEL" "''${INSTANCE_BD[@]}"
+                    mkfs -t ${cfg.fsType} -L "$LABEL" "''${INSTANCE_BD[@]}"
                   fi
                   ln -svf "''${INSTANCE_BD[@]}" "$SYM_TGT"
                   set +x
@@ -301,7 +320,7 @@ flake: {
                     set -x
                     mdadm --create "$RAID_DEV" --raid-devices="$NUM_BD" --level=0 "''${INSTANCE_BD[@]}"
                     mdadm --detail --scan | tee "$RAID_CFG"
-                    mkfs -t xfs -L "$LABEL" "$RAID_DEV"
+                    mkfs -t ${cfg.fsType} -L "$LABEL" "$RAID_DEV"
                     ln -svf "$RAID_DEV" "$SYM_TGT"
                     set +x
                   else
@@ -335,6 +354,35 @@ flake: {
             });
           };
         };
+
+        "${cfg.serviceName}-mount-on-creation" = mkIf cfg.enableMountOnCreation {
+          wantedBy = ["multi-user.target"];
+          serviceConfig = {
+            Type = "oneshot";
+            ExecStart = getExe (pkgs.writeShellApplication {
+              name = "${cfg.serviceName}-mount-on-creation";
+              text = ''
+                set -euo pipefail
+
+                while true; do
+                  echo "Sleeping 10 seconds until mount on created attempt..."
+                  sleep 10
+                  # shellcheck disable=SC2010
+                  if ls -1 / | grep -q ${removePrefix "/" cfg.mountPoint}; then
+                    echo "Found: ${cfg.mountPoint}"
+
+                    # Trigger the systemd auto-mount service
+                    ls ${cfg.mountPoint}
+
+                    touch ${cfg.mountPoint}/.mounted
+
+                    break
+                  fi
+                done
+              '';
+            });
+          };
+        };
       };
     };
   };
 
@@ -144,7 +144,12 @@
           # disabled as a precaution.
           optimise.automatic = false;
 
-          gc.automatic = true;
+          gc = {
+            automatic = true;
+
+            # Minimize security vulnerability positive scan results by flushing old closures
+            options = "--delete-older-than 30d";
+          };
 
           settings = {
             auto-optimise-store = true;
 
@@ -526,6 +526,12 @@ flake: {
               listenAddress = "127.0.0.1";
               port = cfg.varnishExporterPort;
               group = "varnish";
+
+              # Required until https://github.com/nixos/nixpkgs/issues/400003 is fixed.
+              instance =
+                if versionOlder config.services.varnish.package.version "7"
+                then "/var/run/varnish/${config.networking.hostName}"
+                else "/var/run/varnishd";
             };
           };
         };
 
@@ -352,7 +352,41 @@ flake @ {moduleWithSystem, ...}: {
     config = {
       # The hosts file is case-insensitive, so switch from camelCase attr name to kebab-case
       networking.hosts = mkIf (gfModules ? ips) (let
-        allIps = head gfModules.ips.imports;
+        # Prior to "github:hercules-ci/flake-parts/dc3b467eac0fe1436e897d01c35dabe63b4749ea"
+        # made on Sept 12th, 2024, the expression:
+        #
+        #   head gfModules.ips.imports
+        #
+        # yielded an attrSet with attrName as machine name and
+        # attrValue as attrSet of ip type to ip value.  We'll refer to this
+        # attrSet as ipInfo for simplicity below.
+        #
+        # After this commit, the same expression instead returns:
+        #
+        #  {
+        #    imports = [
+        #      {
+        #        _file = "$NIX_STORE_PATH, via option flake.nixosModules.ips";
+        #        imports = [
+        #          ipInfo
+        #        ];
+        #      }
+        #    ]
+        #  }
+        #
+        # The same info can be extracted with:
+        #
+        #   head (head (head gfModules.ips.imports).imports).imports
+        #
+        # but this is getting rather ugly, so let's use a recursive function
+        # instead.
+        allIps = let
+          flattenImports = m:
+            if m ? imports && isList m.imports
+            then flattenImports (head m.imports)
+            else m;
+        in
+          flattenImports gfModules.ips;
 
         hostsList =
           # See hostsList type and description above
 
@@ -613,6 +613,12 @@ flake: {
             listenAddress = "127.0.0.1";
             port = cfg.varnishExporterPort;
             group = "varnish";
+
+            # Required until https://github.com/nixos/nixpkgs/issues/400003 is fixed.
+            instance =
+              if versionOlder config.services.varnish.package.version "7"
+              then "/var/run/varnish/${config.networking.hostName}"
+              else "/var/run/varnishd";
           };
         };
       };
 
@@ -386,6 +386,12 @@ flake: {
             listenAddress = "127.0.0.1";
             port = cfg.varnishExporterPort;
             group = "varnish";
+
+            # Required until https://github.com/nixos/nixpkgs/issues/400003 is fixed.
+            instance =
+              if versionOlder config.services.varnish.package.version "7"
+              then "/var/run/varnish/${config.networking.hostName}"
+              else "/var/run/varnishd";
           };
         };
       };
 
@@ -29,7 +29,7 @@ flake @ {moduleWithSystem, ...}: {
   }:
     with builtins;
     with lib; let
-      inherit (lib.types) attrsOf bool enum listOf str;
+      inherit (lib.types) attrsOf bool enum listOf str lines;
       inherit (config.cardano-parts.perNode.meta) cardanoDbSyncPrometheusExporterPort cardanoNodePrometheusExporterPort hostAddr;
       inherit (groupCfg) groupName groupFlake;
       inherit (groupCfg.meta) environmentName;
@@ -432,7 +432,7 @@ flake @ {moduleWithSystem, ...}: {
           };
 
           extraAlloyConfig = mkOption {
-            type = str;
+            type = lines;
             default = "";
             description = ''
               Extra configuration appended to the /etc/alloy/config.alloy file prior to formatting.