Commit ba964f3

HPCesia <me@hpcesia.com>
2025-09-30 15:19:21
refactor: migrate nix config
1 parent 4d576f6
modules/core/nix/base.nix
@@ -0,0 +1,33 @@
+{
+  flake.modules.nixos.core = {config, ...}: {
+    nix.settings = {
+      experimental-features = ["auto-allocate-uids"];
+
+      # Select UIDs for builds automatically, EXPERIMENTAL
+      auto-allocate-uids = true;
+      # Automatically hard link identical files in the Nix store
+      auto-optimise-store = true;
+      # Remote servers preferred substituters instead of local builders
+      builders-use-substitutes = true;
+      # Unlimited HTTP connections
+      http-connections = 0;
+      # Use `$XDG_STATE_HOME/nix/...` instead of `$HOME/.nix-...`
+      use-xdg-base-directories = true;
+
+      trusted-users = ["@wheel"];
+    };
+
+    nix.extraOptions = ''
+      !include ${config.vaultix.templates.nix-access-tokens.path}
+    '';
+
+    vaultix.secrets.github-access-token.file = ./github-access-token.age;
+    vaultix.templates.nix-access-tokens = {
+      content = ''
+        access-tokens = github.com=${config.vaultix.placeholder.github-access-token}
+      '';
+      mode = "0440";
+      group = "wheel";
+    };
+  };
+}
modules/core/nix/flakes.nix
@@ -0,0 +1,14 @@
+{
+  flake.modules.nixos.core = _: {
+    nix.settings = {
+      experimental-features = ["nix-command" "flakes"];
+      flake-registry = "";
+    };
+    nix.channel.enable = false;
+
+    nixpkgs.flake.setNixPath = true;
+    nixpkgs.flake.setFlakeRegistry = true;
+
+    system.copySystemConfiguration = false;
+  };
+}
modules/core/nix/github-access-token.age
Binary file
modules/core/nix/nh.nix
@@ -0,0 +1,19 @@
+{
+  flake.modules.nixos.core = _: {
+    programs.nh = {
+      enable = true;
+      clean.enable = true;
+      clean.extraArgs = "--keep-since 4d --keep 3";
+    };
+
+    system.tools = {
+      # disable useless tools
+      nixos-build-vms.enable = false;
+      nixos-enter.enable = false;
+      nixos-generate-config.enable = false;
+      nixos-install.enable = false;
+      nixos-option.enable = false;
+      nixos-rebuild.enable = false; # No needed, use `nh os` instead.
+    };
+  };
+}
modules/core/nix/substituters.nix
@@ -0,0 +1,17 @@
+{
+  flake.modules.nixos.core = _: {
+    nix.settings = {
+      substituters = [
+        # cache mirror located in China
+        "https://mirrors.ustc.edu.cn/nix-channels/store?priority=10"
+        "https://mirror.sjtu.edu.cn/nix-channels/store?priority=10"
+        "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store?priority=10"
+
+        "https://nix-community.cachix.org?priority=20"
+      ];
+      trusted-public-keys = [
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+    };
+  };
+}
os-modules/base/nix.nix
@@ -1,39 +1,8 @@
 {
   pkgs,
-  config,
-  myvars,
   programsdb,
   ...
 }: {
-  nix.settings = {
-    experimental-features = ["nix-command" "flakes"];
-    trusted-users = [myvars.username];
-    substituters = [
-      # cache mirror located in China
-      # "https://mirrors.ustc.edu.cn/nix-channels/store?priority=10"
-      # "https://mirror.sjtu.edu.cn/nix-channels/store?priority=10"
-      "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store?priority=10"
-
-      "https://nix-community.cachix.org?priority=20"
-    ];
-    trusted-public-keys = [
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="
-    ];
-    builders-use-substitutes = true;
-  };
-
-  nix.extraOptions = ''
-    !include ${config.sops.templates.access-tokens.path}
-  '';
-
-  sops.templates.access-tokens = {
-    content = ''
-      access-tokens = github.com=${config.sops.placeholder.github-access-token}
-    '';
-    mode = "0444"; # file must be accessible (r) to all users, because only the build daemon runs as root and not nix evaluator itself.
-  };
-
   environment.etc."programs.sqlite".source = programsdb.packages.${pkgs.system}.programs-sqlite;
   programs.command-not-found.dbPath = "/etc/programs.sqlite";
 }
os-modules/nixos/base/nix.nix
@@ -1,30 +0,0 @@
-{
-  lib,
-  nixpkgs,
-  ...
-}: {
-  # to install chrome, you need to enable unfree packages
-  # nixpkgs.config.allowUnfree = lib.mkForce true;
-
-  programs.nh = {
-    enable = true;
-    clean.enable = true;
-    clean.extraArgs = "--keep-since 4d --keep 3";
-  };
-
-  system.tools = {
-    # disable useless tools
-    nixos-build-vms.enable = false;
-    nixos-enter.enable = false;
-    nixos-generate-config.enable = false;
-    nixos-install.enable = false;
-    nixos-option.enable = false;
-    nixos-rebuild.enable = false; # No needed, use `nh os` instead.
-  };
-
-  # Manual optimise storage: nix-store --optimise
-  # https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-auto-optimise-store
-  nix.settings.auto-optimise-store = true;
-
-  nix.channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead.
-}
secrets/base.nix
@@ -28,6 +28,4 @@
   };
 
   sops.defaultSopsFile = ./secrets.yaml;
-
-  sops.secrets."github-access-token" = {};
 }