Commit ba964f3
Changed files (8)
modules
secrets
modules/core/nix/base.nix
@@ -0,0 +1,33 @@
+{
+ flake.modules.nixos.core = {config, ...}: {
+ nix.settings = {
+ experimental-features = ["auto-allocate-uids"];
+
+ # Select UIDs for builds automatically, EXPERIMENTAL
+ auto-allocate-uids = true;
+ # Automatically hard link identical files in the Nix store
+ auto-optimise-store = true;
+ # Remote servers preferred substituters instead of local builders
+ builders-use-substitutes = true;
+ # Unlimited HTTP connections
+ http-connections = 0;
+ # Use `$XDG_STATE_HOME/nix/...` instead of `$HOME/.nix-...`
+ use-xdg-base-directories = true;
+
+ trusted-users = ["@wheel"];
+ };
+
+ nix.extraOptions = ''
+ !include ${config.vaultix.templates.nix-access-tokens.path}
+ '';
+
+ vaultix.secrets.github-access-token.file = ./github-access-token.age;
+ vaultix.templates.nix-access-tokens = {
+ content = ''
+ access-tokens = github.com=${config.vaultix.placeholder.github-access-token}
+ '';
+ mode = "0440";
+ group = "wheel";
+ };
+ };
+}
modules/core/nix/flakes.nix
@@ -0,0 +1,14 @@
+{
+ flake.modules.nixos.core = _: {
+ nix.settings = {
+ experimental-features = ["nix-command" "flakes"];
+ flake-registry = "";
+ };
+ nix.channel.enable = false;
+
+ nixpkgs.flake.setNixPath = true;
+ nixpkgs.flake.setFlakeRegistry = true;
+
+ system.copySystemConfiguration = false;
+ };
+}
modules/core/nix/github-access-token.age
Binary file
modules/core/nix/nh.nix
@@ -0,0 +1,19 @@
+{
+ flake.modules.nixos.core = _: {
+ programs.nh = {
+ enable = true;
+ clean.enable = true;
+ clean.extraArgs = "--keep-since 4d --keep 3";
+ };
+
+ system.tools = {
+ # disable useless tools
+ nixos-build-vms.enable = false;
+ nixos-enter.enable = false;
+ nixos-generate-config.enable = false;
+ nixos-install.enable = false;
+ nixos-option.enable = false;
+ nixos-rebuild.enable = false; # No needed, use `nh os` instead.
+ };
+ };
+}
modules/core/nix/substituters.nix
@@ -0,0 +1,17 @@
+{
+ flake.modules.nixos.core = _: {
+ nix.settings = {
+ substituters = [
+ # cache mirror located in China
+ "https://mirrors.ustc.edu.cn/nix-channels/store?priority=10"
+ "https://mirror.sjtu.edu.cn/nix-channels/store?priority=10"
+ "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store?priority=10"
+
+ "https://nix-community.cachix.org?priority=20"
+ ];
+ trusted-public-keys = [
+ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+ ];
+ };
+ };
+}
os-modules/base/nix.nix
@@ -1,39 +1,8 @@
{
pkgs,
- config,
- myvars,
programsdb,
...
}: {
- nix.settings = {
- experimental-features = ["nix-command" "flakes"];
- trusted-users = [myvars.username];
- substituters = [
- # cache mirror located in China
- # "https://mirrors.ustc.edu.cn/nix-channels/store?priority=10"
- # "https://mirror.sjtu.edu.cn/nix-channels/store?priority=10"
- "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store?priority=10"
-
- "https://nix-community.cachix.org?priority=20"
- ];
- trusted-public-keys = [
- "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
- "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="
- ];
- builders-use-substitutes = true;
- };
-
- nix.extraOptions = ''
- !include ${config.sops.templates.access-tokens.path}
- '';
-
- sops.templates.access-tokens = {
- content = ''
- access-tokens = github.com=${config.sops.placeholder.github-access-token}
- '';
- mode = "0444"; # file must be accessible (r) to all users, because only the build daemon runs as root and not nix evaluator itself.
- };
-
environment.etc."programs.sqlite".source = programsdb.packages.${pkgs.system}.programs-sqlite;
programs.command-not-found.dbPath = "/etc/programs.sqlite";
}
os-modules/nixos/base/nix.nix
@@ -1,30 +0,0 @@
-{
- lib,
- nixpkgs,
- ...
-}: {
- # to install chrome, you need to enable unfree packages
- # nixpkgs.config.allowUnfree = lib.mkForce true;
-
- programs.nh = {
- enable = true;
- clean.enable = true;
- clean.extraArgs = "--keep-since 4d --keep 3";
- };
-
- system.tools = {
- # disable useless tools
- nixos-build-vms.enable = false;
- nixos-enter.enable = false;
- nixos-generate-config.enable = false;
- nixos-install.enable = false;
- nixos-option.enable = false;
- nixos-rebuild.enable = false; # No needed, use `nh os` instead.
- };
-
- # Manual optimise storage: nix-store --optimise
- # https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-auto-optimise-store
- nix.settings.auto-optimise-store = true;
-
- nix.channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead.
-}
secrets/base.nix
@@ -28,6 +28,4 @@
};
sops.defaultSopsFile = ./secrets.yaml;
-
- sops.secrets."github-access-token" = {};
}