From 29612baa12c654f6b38603596d2fcf6fa87596c3 Mon Sep 17 00:00:00 2001 From: blahai Date: Mon, 17 Feb 2025 21:20:07 +0200 Subject: [PATCH] nix stuff --- modules/base/default.nix | 1 + modules/base/nix/default.nix | 121 ++---------------------------- modules/base/nix/nix.nix | 118 +++++++++++++++++++++++++++++ modules/base/nix/substituters.nix | 15 ++++ modules/base/nix/system.nix | 7 ++ modules/base/users/default.nix | 5 ++ modules/base/users/root.nix | 9 +++ modules/nixos/default.nix | 1 + 8 files changed, 161 insertions(+), 116 deletions(-) create mode 100644 modules/base/nix/nix.nix create mode 100644 modules/base/nix/substituters.nix create mode 100644 modules/base/nix/system.nix create mode 100644 modules/base/users/default.nix create mode 100644 modules/base/users/root.nix diff --git a/modules/base/default.nix b/modules/base/default.nix index 344c6b1..bd72ff3 100644 --- a/modules/base/default.nix +++ b/modules/base/default.nix @@ -1,5 +1,6 @@ { imports = [ ./nix + ./users ]; } diff --git a/modules/base/nix/default.nix b/modules/base/nix/default.nix index aadb8cb..174b087 100644 --- a/modules/base/nix/default.nix +++ b/modules/base/nix/default.nix @@ -1,118 +1,7 @@ { - lib, - inputs, - ... -}: let - inherit (lib.attrsets) filterAttrs mapAttrs; - inherit (lib.types) isType; - - flakeInputs = filterAttrs (name: value: (isType "flake" value) && (name != "self")) inputs; -in { - nix = { - # pin the registry to avoid downloading and evaluating a new nixpkgs version everytime - registry = mapAttrs (_: flake: {inherit flake;}) flakeInputs; - - gc = { - automatic = true; - options = "--delete-older-than 7d"; - }; - - channel.enable = false; - - settings = { - min-free = 5 * 1024 * 1024 * 1024; - max-free = 20 * 1024 * 1024 * 1024; - - # automatically optimise symlinks - # Disable auto-optimise-store because of this issue: - # https://github.com/NixOS/nix/issues/7273 - auto-optimise-store = true; - - # users or groups which are allowed to do anything with the Nix daemon - allowed-users = ["@wheel"]; - # users or groups which are allowed to manage the nix store - trusted-users = ["@wheel"]; - - # we don't want to track the registry, but we do want to allow the usage - # of the `flake:` references, so we need to enable use-registries - use-registries = true; - flake-registry = ""; - - max-jobs = "auto"; - - # build inside sandboxed environments - sandbox = true; - - # supported system features - system-features = [ - "nixos-test" - "kvm" - "recursive-nix" - "big-parallel" - ]; - - keep-going = true; - - # show more log lines for failed builds, as this happens alot and is useful - log-lines = 30; - - # https://docs.lix.systems/manual/lix/nightly/contributing/experimental-features.html - experimental-features = [ - # enables flakes, needed for this config - "flakes" - - # enables the nix3 commands, a requirement for flakes - "nix-command" - - # allow nix to call itself - "recursive-nix" - - # allow nix to build and use content addressable derivations, these are nice because - # they prevent rebuilds when changes to the derivation do not result in changes to the derivation's output - "ca-derivations" - - # Allows Nix to automatically pick UIDs for builds, rather than creating nixbld* user accounts - # which is BEYOND annoying, which makes this a really nice feature to have - "auto-allocate-uids" - - # allows Nix to execute builds inside cgroups - # remember you must also enable use-cgroups in the nix.conf or settings - "cgroups" - - # allow passing installables to nix repl, making its interface consistent with the other experimental commands - "repl-flake" - - # allow usage of the pipe operator in nix expressions - "pipe-operator" - - # enable the use of the fetchClosure built-in function in the Nix language - "fetch-closure" - - # dependencies in derivations on the outputs of derivations that are themselves derivations outputs - "dynamic-derivations" - - # allow parsing TOML timestamps via builtins.fromTOML - "parse-toml-timestamps" - ]; - - warn-dirty = false; - - http-connections = 50; - - # whether to accept nix configuration from a flake without prompting - # literally a CVE waiting to happen - accept-flake-config = false; - - # build from source if the build fails from a binary source - fallback = true; - - # this defaults to true, however it slows down evaluation and I'm pretty sure it's not needed (yet?) - allow-import-from-derivation = false; - - keep-derivations = true; - keep-outputs = true; - - use-xdg-base-directories = true; - }; - }; + imports = [ + ./nix.nix + ./substituters.nix + ./system.nix + ]; } diff --git a/modules/base/nix/nix.nix b/modules/base/nix/nix.nix new file mode 100644 index 0000000..aadb8cb --- /dev/null +++ b/modules/base/nix/nix.nix @@ -0,0 +1,118 @@ +{ + lib, + inputs, + ... +}: let + inherit (lib.attrsets) filterAttrs mapAttrs; + inherit (lib.types) isType; + + flakeInputs = filterAttrs (name: value: (isType "flake" value) && (name != "self")) inputs; +in { + nix = { + # pin the registry to avoid downloading and evaluating a new nixpkgs version everytime + registry = mapAttrs (_: flake: {inherit flake;}) flakeInputs; + + gc = { + automatic = true; + options = "--delete-older-than 7d"; + }; + + channel.enable = false; + + settings = { + min-free = 5 * 1024 * 1024 * 1024; + max-free = 20 * 1024 * 1024 * 1024; + + # automatically optimise symlinks + # Disable auto-optimise-store because of this issue: + # https://github.com/NixOS/nix/issues/7273 + auto-optimise-store = true; + + # users or groups which are allowed to do anything with the Nix daemon + allowed-users = ["@wheel"]; + # users or groups which are allowed to manage the nix store + trusted-users = ["@wheel"]; + + # we don't want to track the registry, but we do want to allow the usage + # of the `flake:` references, so we need to enable use-registries + use-registries = true; + flake-registry = ""; + + max-jobs = "auto"; + + # build inside sandboxed environments + sandbox = true; + + # supported system features + system-features = [ + "nixos-test" + "kvm" + "recursive-nix" + "big-parallel" + ]; + + keep-going = true; + + # show more log lines for failed builds, as this happens alot and is useful + log-lines = 30; + + # https://docs.lix.systems/manual/lix/nightly/contributing/experimental-features.html + experimental-features = [ + # enables flakes, needed for this config + "flakes" + + # enables the nix3 commands, a requirement for flakes + "nix-command" + + # allow nix to call itself + "recursive-nix" + + # allow nix to build and use content addressable derivations, these are nice because + # they prevent rebuilds when changes to the derivation do not result in changes to the derivation's output + "ca-derivations" + + # Allows Nix to automatically pick UIDs for builds, rather than creating nixbld* user accounts + # which is BEYOND annoying, which makes this a really nice feature to have + "auto-allocate-uids" + + # allows Nix to execute builds inside cgroups + # remember you must also enable use-cgroups in the nix.conf or settings + "cgroups" + + # allow passing installables to nix repl, making its interface consistent with the other experimental commands + "repl-flake" + + # allow usage of the pipe operator in nix expressions + "pipe-operator" + + # enable the use of the fetchClosure built-in function in the Nix language + "fetch-closure" + + # dependencies in derivations on the outputs of derivations that are themselves derivations outputs + "dynamic-derivations" + + # allow parsing TOML timestamps via builtins.fromTOML + "parse-toml-timestamps" + ]; + + warn-dirty = false; + + http-connections = 50; + + # whether to accept nix configuration from a flake without prompting + # literally a CVE waiting to happen + accept-flake-config = false; + + # build from source if the build fails from a binary source + fallback = true; + + # this defaults to true, however it slows down evaluation and I'm pretty sure it's not needed (yet?) + allow-import-from-derivation = false; + + keep-derivations = true; + keep-outputs = true; + + use-xdg-base-directories = true; + }; + }; +} diff --git a/modules/base/nix/substituters.nix b/modules/base/nix/substituters.nix new file mode 100644 index 0000000..5226f96 --- /dev/null +++ b/modules/base/nix/substituters.nix @@ -0,0 +1,15 @@ +{ + nix.settings = { + substituters = [ + "https://nix-community.cachix.org" + "https://nixpkgs-unfree.cachix.org" + "https://hyprland.cachix.org" + ]; + + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "nixpkgs-unfree.cachix.org-1:hqvoInulhbV4nJ9yJOEr+4wxhDV4xq2d1DK7S6Nj6rs=" + "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" + ]; + }; +} diff --git a/modules/base/nix/system.nix b/modules/base/nix/system.nix new file mode 100644 index 0000000..d939e97 --- /dev/null +++ b/modules/base/nix/system.nix @@ -0,0 +1,7 @@ +{lib, ...}: let + inherit (lib.modules) mkDefault; +in { + system = { + stateVersion = mkDefault "25.05"; + }; +} diff --git a/modules/base/users/default.nix b/modules/base/users/default.nix new file mode 100644 index 0000000..f58e484 --- /dev/null +++ b/modules/base/users/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./root.nix + ]; +} diff --git a/modules/base/users/root.nix b/modules/base/users/root.nix new file mode 100644 index 0000000..1697fa1 --- /dev/null +++ b/modules/base/users/root.nix @@ -0,0 +1,9 @@ +{ + users.users.root = { + initialPassword = "changeme"; + + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPbmiNqoyeKXk/VopFm2cFfEnV4cKCFBhbhyYB69Fuu" + ]; + }; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index bafbeed..7f00f42 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -2,6 +2,7 @@ imports = [ ./boot ./hardware + ./misc ./remote-modules.nix ];