blob: 7325839a30cc1828f719ebf647ee4643c6b15d3a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
{ flake, flakeInputs, path, hostName, config, lib, pkgs, customUtils, ... }:
let
profileSet = customUtils.types.attrNameSet flake.nixosModules.systemProfiles;
userProfileSet = customUtils.types.attrNameSet (lib.zipAttrs (lib.attrValues flake.nixosModules.userProfiles));
hasSops = config.sops.secrets != {};
in {
imports = with flakeInputs;
[ sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager
];
options = {
# See mkSystemProfile in ../flake.nix
system.profiles = lib.mkOption {
type = profileSet;
default = [];
description = ''
Set (list without duplicates) of ‘systemProfiles’ enabled for this host
'';
};
users.users = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule {
options.profiles = lib.mkOption {
type = userProfileSet;
default = [];
description = ''
Set (list without duplicates) of ‘userProfiles’ enabled for this user
'';
};
});
};
};
config = {
networking.hostName = hostName;
system.configurationRevision = lib.mkIf (flake ? rev) flake.rev;
nixpkgs.pkgs = flake.legacyPackages.${config.nixpkgs.system}.override {
inherit (config.nixpkgs) config;
localSystem = config.nixpkgs.system;
};
nix = {
package = pkgs.nixUnstable;
settings = {
sandbox = true;
allowed-users = [ "*" ];
trusted-users = [ "root" "@wheel" ];
experimental-features = ["nix-command" "flakes" "auto-allocate-uids" "cgroups"];
auto-allocate-uids = true;
use-cgroups = true;
use-xdg-base-directories = true;
flake-registry = "${flakeInputs.flake-registry}/flake-registry.json";
};
nixPath = [
"nixpkgs=${pkgs.runCommand "nixpkgs" {} ''
mkdir $out
ln -s ${./nixpkgs.nix} $out/default.nix
ln -s /run/nixpkgs/lib $out/lib
''}"
];
registry =
let override = { self = "nixos"; };
in lib.mapAttrs' (inpName: inpFlake: lib.nameValuePair
(override.${inpName} or inpName)
{ flake = inpFlake; } ) flakeInputs;
};
systemd.tmpfiles.rules = [
"L+ /run/nixpkgs - - - - ${flakeInputs.nixpkgs.outPath}"
"L+ /run/nixpkgs-overlays.nix - - - - ${pkgs.writeText "overlays.nix" ''
with builtins;
attrValues (import
(
let lock = fromJSON (readFile ${flake + "/flake.lock"}); in
fetchTarball {
url = "https://github.com/edolstra/flake-compat/archive/''${lock.nodes.flake-compat.locked.rev}.tar.gz";
sha256 = lock.nodes.flake-compat.locked.narHash;
}
)
{ src = ${flake}; }
).defaultNix.overlays
''}"
];
users.mutableUsers = false;
# documentation.nixos.includeAllModules = true; # incompatible with home-manager (build fails)
home-manager = {
useGlobalPkgs = true; # Otherwise home-manager would only work impurely
useUserPackages = false;
backupFileExtension = "bak";
};
sops = lib.mkIf hasSops {
age = {
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = false;
sshKeyPaths = [];
};
gnupg = {
home = null;
sshKeyPaths = [];
};
};
programs.git = {
enable = true;
lfs.enable = true;
};
system.activationScripts.symlink-flake = ''
if test -L /etc/nixos; then
ln -nsf ${flake} /etc/nixos
elif test -d /etc/nixos && rmdir --ignore-fail-on-non-empty /etc/nixos; then
ln -s ${flake} /etc/nixos
fi
'';
};
}
|
