commit a7a727c5765c62228f659b0caad34a8eccfd4551 · pyrox.dev/nix

+85 -17

modules/nixos/default-config/nixConfig.nix

···

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       1
        
       {

     

       2
        
         nix = {

     

       3
        
           enable = true;

     

       4
        
           # We use `nh.clean` instead, so this is disabled

     

       5
        
           gc.automatic = false;

     

       6
       -
           extraOptions = ''

     

       7
       -
             extra-experimental-features = nix-command flakes

     

       8
       -
             allowed-uris = http:// https://

     

       9
       -
           '';

     

       10
        
           settings = {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       11
        
             cores = 0;

     

       12
       -
             auto-optimise-store = true;

     

       13
       -
             trusted-users = [

     

       14
       -
               "root"

     

       15
       -
               "thehedgehog"

     

       16
       -
               "pyrox"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       17
        
             ];

     

       18
       -
             trusted-substituters = [

     

       19
       -
               "https://cache.nixos.org"

     

       20
       -
               "https://crane.cachix.org"

     

       21
       -
               "https://isabelroses.cachix.org"

     

       22
       -
               "https://nix-community.cachix.org"

     

       23
       -
               "https://nixpkgs-wayland.cachix.org"

     

       24
       -
               "https://viperml.cachix.org"

     

       25
       -
               "https://cache.lix.systems"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       26
        
             ];

     

       0
        
       
     

       27
        
             trusted-public-keys = [

     

       28
        
               "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="

     

       29
        
               "crane.cachix.org-1:8Scfpmn9w+hGdXH/Q9tTLiYAE/2dnJYRJP7kl80GuRk="

     
···

       33
        
               "viperml.cachix.org-1:qZhKBMTfmcLL+OG6fj/hzsMEedgKvZVFRRAhq7j8Vh8="

     

       34
        
               "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="

     

       35
        
             ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       36
        
           };

     

       37
        
         };

     

       38
        
       }

···

       1
       +
       {

     

       2
       +
         pkgs,

     

       3
       +
         lib,

     

       4
       +
         inputs,

     

       5
       +
         ...

     

       6
       +
       }:

     

       7
       +
       let

     

       8
       +
         userList = [

     

       9
       +
           "root"

     

       10
       +
           "thehedgehog"

     

       11
       +
           "pyrox"

     

       12
       +
         ];

     

       13
       +
         flakeInputs = lib.filterAttrs (name: value: (value ? outputs) && (name != "self")) inputs;

     

       14
       +
       in

     

       15
        
       {

     

       16
        
         nix = {

     

       17
        
           enable = true;

     

       18
        
           # We use `nh.clean` instead, so this is disabled

     

       19
        
           gc.automatic = false;

     

       20
       +
           registry = lib.mapAttrs (_: v: { flake = v; }) flakeInputs;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       21
        
           settings = {

     

       22
       +
             # Don't auto-accept flake-defined nix settings, they're a CVE waiting to happen.

     

       23
       +
             accept-flake-config = false;

     

       24
       +
             # Allow these users to access the daemon

     

       25
       +
             allowed-users = userList;

     

       26
       +
             # No pre-defined nixbld users

     

       27
       +
             auto-allocate-uids = true;

     

       28
       +
             # Always optimize the store

     

       29
       +
             auto-optimise-store = true;

     

       30
       +
             # Compress build logs to save space

     

       31
       +
             compress-build-log = true;

     

       32
       +
             # Use all available cores to build

     

       33
        
             cores = 0;

     

       34
       +
             experimental-features = [

     

       35
       +
               # Nix3 CLI

     

       36
       +
               "nix-command"

     

       37
       +
               # Duh

     

       38
       +
               "flakes"

     

       39
       +
               # Use auto-generated uids instead of users in the nixbld group

     

       40
       +
               "auto-allocate-uids"

     

       41
       +
               # Can allow saving space in the store by content-addressing instead of input-addressing derivations

     

       42
       +
               "ca-derivations"

     

       43
       +
               # Build inside cgroups

     

       44
       +
               "cgroups"

     

       45
       +
               # Disallow URL Literals as they are deprecated

     

       46
       +
               "no-url-literals"

     

       47
       +
               # Allow Nix to call itself

     

       48
       +
               "recursive-nix"

     

       49
       +
               # Allow installables to be passed to `nix repl`

     

       50
       +
               "repl-flake"

     

       51
        
             ];

     

       52
       +
             # Build from source if substitution fails

     

       53
       +
             fallback = true;

     

       54
       +
             # Write an empty flake registry

     

       55
       +
             flake-registry = pkgs.writers.writeJSON "registry-empty.json" {

     

       56
       +
               flakes = [ ];

     

       57
       +
               version = 2;

     

       58
       +
             };

     

       59
       +
             # allow keeping direnv gc roots

     

       60
       +
             keep-derivations = true;

     

       61
       +
             # Keep going even if a build fails, so that all possible succeeding builds do

     

       62
       +
             keep-going = true;

     

       63
       +
             # More direnv gc root stuff

     

       64
       +
             keep-outputs = true;

     

       65
       +
             # Show fewer log lines from failed builds since I get them from nh

     

       66
       +
             log-lines = 10;

     

       67
       +
             # Extra system features

     

       68
       +
             system-features = [

     

       69
       +
               "big-parallel"

     

       70
       +
               "kvm"

     

       71
       +
               "nixos-test"

     

       72
       +
               "recursive-nix"

     

       73
        
             ];

     

       74
       +
             # The pubkeys of the below substituters

     

       75
        
             trusted-public-keys = [

     

       76
        
               "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="

     

       77
        
               "crane.cachix.org-1:8Scfpmn9w+hGdXH/Q9tTLiYAE/2dnJYRJP7kl80GuRk="

     
···

       81
        
               "viperml.cachix.org-1:qZhKBMTfmcLL+OG6fj/hzsMEedgKvZVFRRAhq7j8Vh8="

     

       82
        
               "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="

     

       83
        
             ];

     

       84
       +
             # Extra substituters

     

       85
       +
             trusted-substituters = [

     

       86
       +
               "https://cache.nixos.org"

     

       87
       +
               "https://crane.cachix.org"

     

       88
       +
               "https://isabelroses.cachix.org"

     

       89
       +
               "https://nix-community.cachix.org"

     

       90
       +
               "https://nixpkgs-wayland.cachix.org"

     

       91
       +
               "https://viperml.cachix.org"

     

       92
       +
               "https://cache.lix.systems"

     

       93
       +
             ];

     

       94
       +
             # These users have additional daemon rights

     

       95
       +
             trusted-users = userList;

     

       96
       +
             # Use cgroups for building

     

       97
       +
             use-cgroups = true;

     

       98
       +
             # Allow use of the registry

     

       99
       +
             use-registries = true;

     

       100
       +
             # XDG base dirs to avoid cluttering $HOME

     

       101
       +
             use-xdg-base-directories = true;

     

       102
       +
             # I almost always work in a dirty tree, I know it's dirty

     

       103
       +
             warn-dirty = false;

     

       104
        
           };

     

       105
        
         };

     

       106
        
       }