nixcfg/modules/nixos/nix/default.nix

{
  options,
  config,
  pkgs,
  lib,
  inputs,
  ...
}:

with lib;
with lib.metacfg;
let
  cfg = config.metacfg.nix;

  substituters-submodule = types.submodule (
    { name, ... }:
    {
      options = with types; {
        key = mkOpt (nullOr str) null "The trusted public key for this substituter.";
      };
    }
  );
in
{
  options.metacfg.nix = with types; {
    enable = mkBoolOpt false "Whether or not to manage nix configuration.";
    package = mkOpt package pkgs.nix "Which nix package to use.";

    default-substituter = {
      url = mkOpt str "https://cache.nixos.org" "The url for the substituter.";
      key =
        mkOpt str "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
          "The trusted public key for the substituter.";
    };

    extra-substituters = mkOpt (attrsOf substituters-submodule) { } "Extra substituters to configure.";
  };

  config = mkIf cfg.enable {
    assertions = mapAttrsToList (name: value: {
      assertion = value.key != null;
      message = "metacfg.nix.extra-substituters.${name}.key must be set";
    }) cfg.extra-substituters;

    environment.systemPackages = with pkgs; [
      metacfg.nixos-revision
      (metacfg.nixos-hosts.override { hosts = inputs.self.nixosConfigurations; })
      deploy-rs
      nixfmt
      nix-index
      nix-prefetch-git
      nix-output-monitor
    ];

    systemd.services.nix-daemon.environment.TMPDIR = "/var/tmp";

    nix =
      let
        users = [
          "root"
          config.metacfg.user.name
        ] ++ optional config.services.hydra.enable "hydra";
        extra-substituters = cfg.extra-substituters // {
          "https://attic.teepot.org/tee-pot".key = "tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=";
        };
      in
      {
        package = cfg.package;

        settings =
          {
            experimental-features = "nix-command flakes";
            http-connections = 50;
            warn-dirty = false;
            log-lines = 50;
            sandbox = true;
            auto-optimise-store = true;
            trusted-users = users;
            allowed-users = users;

            substituters = [
              cfg.default-substituter.url
            ] ++ (mapAttrsToList (name: value: name) extra-substituters);
            trusted-public-keys = [
              cfg.default-substituter.key
            ] ++ (mapAttrsToList (name: value: value.key) extra-substituters);

          }
          // (lib.optionalAttrs config.metacfg.tools.direnv.enable {
            keep-outputs = true;
            keep-derivations = true;
          });

        gc = {
          automatic = true;
          dates = lib.mkDefault "weekly";
          options = lib.mkDefault "--delete-older-than 14d";
        };

        # flake-utils-plus
        generateRegistryFromInputs = true;
        generateNixPathFromInputs = true;
        linkInputs = true;
      };
  };
}
nix fmt Signed-off-by: Harald Hoyer <harald@hoyer.xyz> 2024-11-19 10:31:29 +01:00			`{`
			`options,`
			`config,`
			`pkgs,`
			`lib,`
			`inputs,`
			`...`
			`}:`
A new start 2024-03-21 15:00:36 +01:00
			`with lib;`
			`with lib.metacfg;`
			`let`
			`cfg = config.metacfg.nix;`

nix fmt Signed-off-by: Harald Hoyer <harald@hoyer.xyz> 2024-11-19 10:31:29 +01:00			`substituters-submodule = types.submodule (`
			`{ name, ... }:`
			`{`
			`options = with types; {`
			`key = mkOpt (nullOr str) null "The trusted public key for this substituter.";`
			`};`
			`}`
			`);`
A new start 2024-03-21 15:00:36 +01:00			`in`
			`{`
			`options.metacfg.nix = with types; {`
			`enable = mkBoolOpt false "Whether or not to manage nix configuration.";`
			`package = mkOpt package pkgs.nix "Which nix package to use.";`

			`default-substituter = {`
			`url = mkOpt str "https://cache.nixos.org" "The url for the substituter.";`
nix fmt Signed-off-by: Harald Hoyer <harald@hoyer.xyz> 2024-11-19 10:31:29 +01:00			`key =`
			`mkOpt str "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="`
			`"The trusted public key for the substituter.";`
A new start 2024-03-21 15:00:36 +01:00			`};`

			`extra-substituters = mkOpt (attrsOf substituters-submodule) { } "Extra substituters to configure.";`
			`};`

			`config = mkIf cfg.enable {`
nix fmt Signed-off-by: Harald Hoyer <harald@hoyer.xyz> 2024-11-19 10:31:29 +01:00			`assertions = mapAttrsToList (name: value: {`
			`assertion = value.key != null;`
			`message = "metacfg.nix.extra-substituters.${name}.key must be set";`
			`}) cfg.extra-substituters;`
A new start 2024-03-21 15:00:36 +01:00
			`environment.systemPackages = with pkgs; [`
			`metacfg.nixos-revision`
nix fmt Signed-off-by: Harald Hoyer <harald@hoyer.xyz> 2024-11-19 10:31:29 +01:00			`(metacfg.nixos-hosts.override { hosts = inputs.self.nixosConfigurations; })`
A new start 2024-03-21 15:00:36 +01:00			`deploy-rs`
			`nixfmt`
			`nix-index`
			`nix-prefetch-git`
			`nix-output-monitor`
			`];`

nix: set TMPDIR to /var/tmp Signed-off-by: Harald Hoyer <harald@hoyer.xyz> 2024-03-28 10:30:42 +01:00			`systemd.services.nix-daemon.environment.TMPDIR = "/var/tmp";`

A new start 2024-03-21 15:00:36 +01:00			`nix =`
			`let`
nix fmt Signed-off-by: Harald Hoyer <harald@hoyer.xyz> 2024-11-19 10:31:29 +01:00			`users = [`
			`"root"`
			`config.metacfg.user.name`
			`] ++ optional config.services.hydra.enable "hydra";`
A new start 2024-03-21 15:00:36 +01:00			`extra-substituters = cfg.extra-substituters // {`
feat: Add new substituter and trusted key in various modules This commit introduces a new substituter 'https://attic.teepot.org/tee-pot' and its associated trusted key 'tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg='. The changes affect the Nix, aesmd_dcap, home settings, and pccs modules. This update provides additional package sources for these modules. 2024-06-28 14:33:05 +02:00			`"https://attic.teepot.org/tee-pot".key = "tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=";`
A new start 2024-03-21 15:00:36 +01:00			`};`
			`in`
			`{`
			`package = cfg.package;`

nix fmt Signed-off-by: Harald Hoyer <harald@hoyer.xyz> 2024-11-19 10:31:29 +01:00			`settings =`
			`{`
			`experimental-features = "nix-command flakes";`
			`http-connections = 50;`
			`warn-dirty = false;`
			`log-lines = 50;`
			`sandbox = true;`
			`auto-optimise-store = true;`
			`trusted-users = users;`
			`allowed-users = users;`
A new start 2024-03-21 15:00:36 +01:00
nix fmt Signed-off-by: Harald Hoyer <harald@hoyer.xyz> 2024-11-19 10:31:29 +01:00			`substituters = [`
			`cfg.default-substituter.url`
			`] ++ (mapAttrsToList (name: value: name) extra-substituters);`
			`trusted-public-keys = [`
			`cfg.default-substituter.key`
			`] ++ (mapAttrsToList (name: value: value.key) extra-substituters);`
A new start 2024-03-21 15:00:36 +01:00
nix fmt Signed-off-by: Harald Hoyer <harald@hoyer.xyz> 2024-11-19 10:31:29 +01:00			`}`
			`// (lib.optionalAttrs config.metacfg.tools.direnv.enable {`
			`keep-outputs = true;`
			`keep-derivations = true;`
			`});`
A new start 2024-03-21 15:00:36 +01:00
			`gc = {`
			`automatic = true;`
feat: Update garbage collection options Adjust default garbage collection intervals and retention periods. Set default GC to run weekly and retain 14 days on nixos module and to run daily and retain 7 days on the 64-linux module. Signed-off-by: Harald Hoyer <harald@hoyer.xyz> 2024-06-25 10:09:51 +02:00			`dates = lib.mkDefault "weekly";`
			`options = lib.mkDefault "--delete-older-than 14d";`
A new start 2024-03-21 15:00:36 +01:00			`};`

			`# flake-utils-plus`
			`generateRegistryFromInputs = true;`
			`generateNixPathFromInputs = true;`
			`linkInputs = true;`
			`};`
			`};`
			`}`