bump

5 files changed, 77 insertions, 16 deletions

diff --git a/system-profiles/core/default.nix b/system-profiles/core/default.nix
index 46049e26..67d50606 100644
--- a/system-profiles/core/default.nix
+++ b/system-profiles/core/default.nix
@@ -1,7 +1,10 @@
 { flake, flakeInputs, path, hostName, config, lib, pkgs, customUtils, ... }:
+
+with lib;
+
 let
   profileSet = customUtils.types.attrNameSet flake.nixosModules.systemProfiles;
-  userProfileSet = customUtils.types.attrNameSet (lib.zipAttrs (lib.attrValues flake.nixosModules.userProfiles));
+  userProfileSet = customUtils.types.attrNameSet (zipAttrs (attrValues flake.nixosModules.userProfiles));
   hasSops = config.sops.secrets != {};
 in {
   imports = with flakeInputs;
@@ -11,7 +14,7 @@ in {
 
   options = {
     # See mkSystemProfile in ../flake.nix
-    system.profiles = lib.mkOption {
+    system.profiles = mkOption {
       type = profileSet;
       default = [];
       description = ''
@@ -19,9 +22,9 @@ in {
       '';
     };
 
-    users.users = lib.mkOption {
-      type = lib.types.attrsOf (lib.types.submodule {
-        options.profiles = lib.mkOption {
+    users.users = mkOption {
+      type = types.attrsOf (types.submodule {
+        options.profiles = mkOption {
           type = userProfileSet;
           default = [];
           description = ''
@@ -30,14 +33,71 @@ in {
         };
       });
     };
+
+    nixpkgs.externalConfig = mkOption {
+      default = {};
+      example = literalExpression
+        ''
+          { allowBroken = true; allowUnfree = true; }
+        '';
+      type = mkOptionType {
+        name = "nixpkgs-config";
+        description = "nixpkgs config";
+        check = x:
+          let traceXIfNot = c:
+                if c x then true
+                else traceSeqN 1 x false;
+              isConfig = x:
+                builtins.isAttrs x || isFunction x;
+          in traceXIfNot isConfig;
+        merge = args:
+          let
+            optCall = f: x:
+              if isFunction f
+              then f x
+              else f;
+            mergeConfig = lhs_: rhs_:
+              let
+                lhs = optCall lhs_ { inherit pkgs; };
+                rhs = optCall rhs_ { inherit pkgs; };
+              in
+              recursiveUpdate lhs rhs //
+              optionalAttrs (lhs ? packageOverrides) {
+                packageOverrides = pkgs:
+                  optCall lhs.packageOverrides pkgs //
+                  optCall (attrByPath [ "packageOverrides" ] { } rhs) pkgs;
+              } //
+              optionalAttrs (lhs ? perlPackageOverrides) {
+                perlPackageOverrides = pkgs:
+                  optCall lhs.perlPackageOverrides pkgs //
+                  optCall (attrByPath [ "perlPackageOverrides" ] { } rhs) pkgs;
+              };
+          in foldr (def: mergeConfig def.value) {};
+      };
+      description = mdDoc ''
+        The configuration of the Nix Packages collection.  (For
+        details, see the Nixpkgs documentation.)  It allows you to set
+        package configuration options.
+
+        Used to construct `nixpkgs.pkgs`.
+      '';
+    };
+
+    nixpkgs.flakeInput = mkOption {
+      type = types.enum (attrNames flakeInputs);
+      default = if flakeInputs ? "nixpkgs-${hostName}" then "nixpkgs-${hostName}" else "nixpkgs";
+      defaultText = literalExpression ''if flakeInputs ? "nixpkgs-''${hostName}" then "nixpkgs-''${hostName}" else "nixpkgs"'';
+      internal = true;
+    };
   };
 
   config = {
     networking.hostName = hostName;
-    system.configurationRevision = lib.mkIf (flake ? rev) flake.rev;
+    system.configurationRevision = mkIf (flake ? rev) flake.rev;
 
-    nixpkgs.pkgs = flake.legacyPackages.${config.nixpkgs.system}.override {
-      inherit (config.nixpkgs) config;
+    nixpkgs.pkgs = import (flakeInputs.${config.nixpkgs.flakeInput}.outPath + "/pkgs/top-level") {
+      overlays = attrValues flake.overlays;
+      config = config.nixpkgs.externalConfig;
       localSystem = config.nixpkgs.system;
     };
 
@@ -64,7 +124,7 @@ in {
       ];
       registry =
         let override = { self = "nixos"; };
-        in lib.mapAttrs' (inpName: inpFlake: lib.nameValuePair
+        in mapAttrs' (inpName: inpFlake: nameValuePair
           (override.${inpName} or inpName)
           { flake = inpFlake; } ) flakeInputs;
     };
@@ -97,7 +157,7 @@ in {
       backupFileExtension = "bak";
     };
 
-    sops = lib.mkIf hasSops {
+    sops = mkIf hasSops {
       age = {
         keyFile = "/var/lib/sops-nix/key.txt";
         generateKey = false;
diff --git a/system-profiles/initrd-ssh/default.nix b/system-profiles/initrd-ssh/default.nix
index 5176234f..ef469343 100644
--- a/system-profiles/initrd-ssh/default.nix
+++ b/system-profiles/initrd-ssh/default.nix
@@ -3,8 +3,6 @@
 with lib;
 
 {
-  imports = [ ./module.nix ];
-
   config = {
     boot.initrd = {
       network = {
@@ -21,8 +19,8 @@ with lib;
       };
 
       secrets = with config.sops.secrets; {
-        "/etc/ssh/ssh_host_ed25519_key" = initrd_ssh_host_ed25519_key.path;
-        "/etc/ssh/ssh_host_rsa_key" = initrd_ssh_host_rsa_key.path;
+        "/etc/ssh/ssh_host_ed25519_key" = mkForce initrd_ssh_host_ed25519_key.path;
+        "/etc/ssh/ssh_host_rsa_key" = mkForce initrd_ssh_host_rsa_key.path;
       };
 
       extraFiles = let
diff --git a/system-profiles/networkmanager.nix b/system-profiles/networkmanager.nix
index d5c85999..0fc25619 100644
--- a/system-profiles/networkmanager.nix
+++ b/system-profiles/networkmanager.nix
@@ -9,7 +9,6 @@ with lib;
         enable = true;
         dhcp = "internal";
         dns = mkForce "dnsmasq";
-        firewallBackend = mkIf config.networking.nftables.enable "nftables";
         logLevel = "INFO";
         extraConfig = ''
           [connectivity]
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 3e17e96c..098e2b25 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -66,7 +66,10 @@ in {
     services.openssh = mkIf cfg.enable {
       hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually
       settings = {
-        inherit Ciphers Macs KexAlgorithms HostKeyAlgorithms CASignatureAlgorithms PubkeyAcceptedAlgorithms;
+        inherit Ciphers Macs KexAlgorithms;
+        HostKeyAlgorithms = concatStringsSep "," HostKeyAlgorithms;
+        PubkeyAcceptedAlgorithms = concatStringsSep "," PubkeyAcceptedAlgorithms;
+        CASignatureAlgorithms = concatStringsSep "," CASignatureAlgorithms;
 
         LogLevel = "VERBOSE";
         RevokedKeys = toString ./ca/krl.bin;
diff --git a/system-profiles/rebuild-machines/default.nix b/system-profiles/rebuild-machines/default.nix
index 09832e73..cc01f66b 100644
--- a/system-profiles/rebuild-machines/default.nix
+++ b/system-profiles/rebuild-machines/default.nix
@@ -69,6 +69,7 @@ in {
           };
         };
         default = { flake = { type = "git"; url = "ssh://${cfg.repoHost}/nixos"; ref = "flakes"; }; flakeOutput = hostName; };
+        defaultText = literalExpression ''{ flake = { type = "git"; url = "ssh://''${config.system.rebuild-machine.repoHost}/nixos"; ref = "flakes"; }; flakeOutput = hostName; }'';
         description = ''
           The Flake URI of the NixOS configuration to build.
         '';