summaryrefslogtreecommitdiff
path: root/system-profiles/core.nix
blob: 87dc0e92544b24a65313178a0c613a2aa6e426d1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
{ flake, flakeInputs, path, hostName, config, lib, pkgs, customUtils, ... }:
let
  profileSet = customUtils.types.attrNameSet flake.nixosModules.systemProfiles;
  userProfileSet = customUtils.types.attrNameSet (lib.zipAttrs (lib.attrValues flake.nixosModules.userProfiles));
  hasSops = config.sops.secrets != {};
in {
  imports = with flakeInputs;
    [ sops-nix.nixosModules.sops
      home-manager.nixosModules.home-manager
    ];
  
  options = {
    # See mkSystemProfile in ../flake.nix
    system.profiles = lib.mkOption {
      type = profileSet;
      default = [];
      description = ''
        Set (list without duplicates) of ‘systemProfiles’ enabled for this host
      '';
    };

    users.users = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule {
        options.profiles = lib.mkOption {
          type = userProfileSet;
          default = [];
          description = ''
            Set (list without duplicates) of ‘userProfiles’ enabled for this user
          '';
        };
      });
    };
  };

  config = {
    networking.hostName = hostName;
    system.configurationRevision = lib.mkIf (flake ? rev) flake.rev;

    nixpkgs.pkgs = flake.legacyPackages.${config.nixpkgs.system}.override {
      inherit (config.nixpkgs) config;
      localSystem = config.nixpkgs.system;
    };

    nix = {
      package = pkgs.nixUnstable;
      settings = {
        sandbox = true;
        allowed-users = [ "*" ];
        trusted-users = [ "root" "@wheel" ];
      };
      extraOptions = ''
        experimental-features = nix-command flakes
      '';
      nixPath = [
        "nixpkgs=/run/nixpkgs"
        "nixpkgs-overlays=/run/nixpkgs-overlays.nix"
      ];
      registry =
        let override = { self = "nixos"; };
        in lib.mapAttrs' (inpName: inpFlake: lib.nameValuePair
          (override.${inpName} or inpName)
          { flake = inpFlake; } ) flakeInputs;
    };

    systemd.tmpfiles.rules = [
      "L+ /run/nixpkgs - - - - ${flakeInputs.nixpkgs.outPath}"
      "L+ /run/nixpkgs-overlays.nix - - - - ${pkgs.writeText "overlays.nix" ''
        with builtins;

        attrValues (import
          (
            let lock = fromJSON (readFile ${toString ../flake.lock}); in
            fetchTarball {
              url = "https://github.com/edolstra/flake-compat/archive/''${lock.nodes.flake-compat.locked.rev}.tar.gz";
              sha256 = lock.nodes.flake-compat.locked.narHash;
            }
          )
          { src = ${toString ../.}; }
        ).defaultNix.overlays
      ''}"
    ];

    users.mutableUsers = false;

    # documentation.nixos.includeAllModules = true; # incompatible with home-manager (build fails)

    home-manager = {
      useGlobalPkgs = true; # Otherwise home-manager would only work impurely
      useUserPackages = true;
    };

    sops = lib.mkIf hasSops {
      age = {
        keyFile = null;
        generateKey = false;
        sshKeyPaths = [];
      };
      gnupg = {
        home = "/root/.gnupg";
        sshKeyPaths = [];
      };
    };

    environment.systemPackages = [ pkgs.git ] ++ lib.optional hasSops pkgs.gnupg;

    system.activationScripts.symlink-flake = ''
      if test -L /etc/nixos; then
        ln -nsf ${flake} /etc/nixos
      elif test -d /etc/nixos && rmdir --ignore-fail-on-non-empty /etc/nixos; then
        ln -s ${flake} /etc/nixos
      fi
    '';
  };
}