blahai/haios
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nix stuff

Browse source
This commit is contained in:
blahai 2025-02-17 21:20:07 +02:00
parent 1397580971
commit 29612baa12
Signed by: blahai
SSH key fingerprint: SHA256:ZfCryi+V64yG+vC1ZIIsqgvBCmA31tTi7RJ6M8CvpRc
8 changed files with 161 additions and 116 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
modules/base/default.nix
View file

@ -1,5 +1,6 @@
{
imports = [
./nix
./users
];
}

119
modules/base/nix/default.nix
View file

@ -1,118 +1,7 @@
{
lib,
inputs,
...
}: let
inherit (lib.attrsets) filterAttrs mapAttrs;
inherit (lib.types) isType;
flakeInputs = filterAttrs (name: value: (isType "flake" value) && (name != "self")) inputs;
in {
nix = {
# pin the registry to avoid downloading and evaluating a new nixpkgs version everytime
registry = mapAttrs (_: flake: {inherit flake;}) flakeInputs;
gc = {
automatic = true;
options = "--delete-older-than 7d";
};
channel.enable = false;
settings = {
min-free = 5 * 1024 * 1024 * 1024;
max-free = 20 * 1024 * 1024 * 1024;
# automatically optimise symlinks
# Disable auto-optimise-store because of this issue:
# https://github.com/NixOS/nix/issues/7273
auto-optimise-store = true;
# users or groups which are allowed to do anything with the Nix daemon
allowed-users = ["@wheel"];
# users or groups which are allowed to manage the nix store
trusted-users = ["@wheel"];
# we don't want to track the registry, but we do want to allow the usage
# of the `flake:` references, so we need to enable use-registries
use-registries = true;
flake-registry = "";
max-jobs = "auto";
# build inside sandboxed environments
sandbox = true;
# supported system features
system-features = [
"nixos-test"
"kvm"
"recursive-nix"
"big-parallel"
imports = [
./nix.nix
./substituters.nix
./system.nix
];
keep-going = true;
# show more log lines for failed builds, as this happens alot and is useful
log-lines = 30;
# https://docs.lix.systems/manual/lix/nightly/contributing/experimental-features.html
experimental-features = [
# enables flakes, needed for this config
"flakes"
# enables the nix3 commands, a requirement for flakes
"nix-command"
# allow nix to call itself
"recursive-nix"
# allow nix to build and use content addressable derivations, these are nice because
# they prevent rebuilds when changes to the derivation do not result in changes to the derivation's output
"ca-derivations"
# Allows Nix to automatically pick UIDs for builds, rather than creating nixbld* user accounts
# which is BEYOND annoying, which makes this a really nice feature to have
"auto-allocate-uids"
# allows Nix to execute builds inside cgroups
# remember you must also enable use-cgroups in the nix.conf or settings
"cgroups"
# allow passing installables to nix repl, making its interface consistent with the other experimental commands
"repl-flake"
# allow usage of the pipe operator in nix expressions
"pipe-operator"
# enable the use of the fetchClosure built-in function in the Nix language
"fetch-closure"
# dependencies in derivations on the outputs of derivations that are themselves derivations outputs
"dynamic-derivations"
# allow parsing TOML timestamps via builtins.fromTOML
"parse-toml-timestamps"
];
warn-dirty = false;
http-connections = 50;
# whether to accept nix configuration from a flake without prompting
# literally a CVE waiting to happen <https://x.com/puckipedia/status/1693927716326703441>
accept-flake-config = false;
# build from source if the build fails from a binary source
fallback = true;
# this defaults to true, however it slows down evaluation and I'm pretty sure it's not needed (yet?)
allow-import-from-derivation = false;
keep-derivations = true;
keep-outputs = true;
use-xdg-base-directories = true;
};
};
}

118
modules/base/nix/nix.nix Normal file
View file

@ -0,0 +1,118 @@
{
lib,
inputs,
...
}: let
inherit (lib.attrsets) filterAttrs mapAttrs;
inherit (lib.types) isType;
flakeInputs = filterAttrs (name: value: (isType "flake" value) && (name != "self")) inputs;
in {
nix = {
# pin the registry to avoid downloading and evaluating a new nixpkgs version everytime
registry = mapAttrs (_: flake: {inherit flake;}) flakeInputs;
gc = {
automatic = true;
options = "--delete-older-than 7d";
};
channel.enable = false;
settings = {
min-free = 5 * 1024 * 1024 * 1024;
max-free = 20 * 1024 * 1024 * 1024;
# automatically optimise symlinks
# Disable auto-optimise-store because of this issue:
# https://github.com/NixOS/nix/issues/7273
auto-optimise-store = true;
# users or groups which are allowed to do anything with the Nix daemon
allowed-users = ["@wheel"];
# users or groups which are allowed to manage the nix store
trusted-users = ["@wheel"];
# we don't want to track the registry, but we do want to allow the usage
# of the `flake:` references, so we need to enable use-registries
use-registries = true;
flake-registry = "";
max-jobs = "auto";
# build inside sandboxed environments
sandbox = true;
# supported system features
system-features = [
"nixos-test"
"kvm"
"recursive-nix"
"big-parallel"
];
keep-going = true;
# show more log lines for failed builds, as this happens alot and is useful
log-lines = 30;
# https://docs.lix.systems/manual/lix/nightly/contributing/experimental-features.html
experimental-features = [
# enables flakes, needed for this config
"flakes"
# enables the nix3 commands, a requirement for flakes
"nix-command"
# allow nix to call itself
"recursive-nix"
# allow nix to build and use content addressable derivations, these are nice because
# they prevent rebuilds when changes to the derivation do not result in changes to the derivation's output
"ca-derivations"
# Allows Nix to automatically pick UIDs for builds, rather than creating nixbld* user accounts
# which is BEYOND annoying, which makes this a really nice feature to have
"auto-allocate-uids"
# allows Nix to execute builds inside cgroups
# remember you must also enable use-cgroups in the nix.conf or settings
"cgroups"
# allow passing installables to nix repl, making its interface consistent with the other experimental commands
"repl-flake"
# allow usage of the pipe operator in nix expressions
"pipe-operator"
# enable the use of the fetchClosure built-in function in the Nix language
"fetch-closure"
# dependencies in derivations on the outputs of derivations that are themselves derivations outputs
"dynamic-derivations"
# allow parsing TOML timestamps via builtins.fromTOML
"parse-toml-timestamps"
];
warn-dirty = false;
http-connections = 50;
# whether to accept nix configuration from a flake without prompting
# literally a CVE waiting to happen <https://x.com/puckipedia/status/1693927716326703441>
accept-flake-config = false;
# build from source if the build fails from a binary source
fallback = true;
# this defaults to true, however it slows down evaluation and I'm pretty sure it's not needed (yet?)
allow-import-from-derivation = false;
keep-derivations = true;
keep-outputs = true;
use-xdg-base-directories = true;
};
};
}

15
modules/base/nix/substituters.nix Normal file
View file

@ -0,0 +1,15 @@
{
nix.settings = {
substituters = [
"https://nix-community.cachix.org"
"https://nixpkgs-unfree.cachix.org"
"https://hyprland.cachix.org"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nixpkgs-unfree.cachix.org-1:hqvoInulhbV4nJ9yJOEr+4wxhDV4xq2d1DK7S6Nj6rs="
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
];
};
}

7
modules/base/nix/system.nix Normal file
View file

@ -0,0 +1,7 @@
{lib, ...}: let
inherit (lib.modules) mkDefault;
in {
system = {
stateVersion = mkDefault "25.05";
};
}

5
modules/base/users/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./root.nix
];
}

9
modules/base/users/root.nix Normal file
View file

@ -0,0 +1,9 @@
{
users.users.root = {
initialPassword = "changeme";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPbmiNqoyeKXk/VopFm2cFfEnV4cKCFBhbhyYB69Fuu"
];
};
}

1
modules/nixos/default.nix
View file

@ -2,6 +2,7 @@
imports = [
./boot
./hardware
./misc
./remote-modules.nix
];