From 06184eb1b33577f52058f042bc0f00edc269d66e Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@hoyer.xyz>
Date: Sat, 17 Jan 2026 19:20:57 +0100
Subject: [PATCH 1/2] refactor(nix): remove duplicate settings already provided
 by NixOS

- Remove default-substituter options (NixOS adds cache.nixos.org)
- Remove "root" from trusted-users and allowed-users (NixOS defaults)
- Simplify substituters/trusted-public-keys to only include extras

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 modules/nixos/nix/default.nix | 24 ++++--------------------
 1 file changed, 4 insertions(+), 20 deletions(-)

diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix
index c6d618b..dbb8c07 100644
--- a/modules/nixos/nix/default.nix
+++ b/modules/nixos/nix/default.nix
@@ -25,13 +25,6 @@ in
     enable = mkBoolOpt false "Whether or not to manage nix configuration.";
     package = mkOpt package pkgs.nix "Which nix package to use.";
 
-    default-substituter = {
-      url = mkOpt str "https://cache.nixos.org" "The url for the substituter.";
-      key =
-        mkOpt str "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-          "The trusted public key for the substituter.";
-    };
-
     extra-substituters = mkOpt (attrsOf substituters-submodule) { } "Extra substituters to configure.";
   };
 
@@ -58,7 +51,6 @@ in
     nix =
       let
         users = [
-          "root"
           config.metacfg.user.name
         ]
         ++ optional config.services.hydra.enable "hydra";
@@ -75,19 +67,11 @@ in
           sandbox = true;
           auto-optimise-store = true;
           trusted-users = users;
-          allowed-users = [
-            "@users"
-            "root"
-          ];
+          allowed-users = [ "@users" ];
 
-          substituters = [
-            cfg.default-substituter.url
-          ]
-          ++ (mapAttrsToList (name: value: name) extra-substituters);
-          trusted-public-keys = [
-            cfg.default-substituter.key
-          ]
-          ++ (mapAttrsToList (name: value: value.key) extra-substituters);
+          # NixOS already adds cache.nixos.org by default, only add extra substituters
+          substituters = mapAttrsToList (name: _: name) extra-substituters;
+          trusted-public-keys = mapAttrsToList (_: value: value.key) extra-substituters;
 
         }
         // (lib.optionalAttrs config.metacfg.tools.direnv.enable {

From 13bacc1ef1fb2f27f381a50d5d95f07e4761fa7d Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@hoyer.xyz>
Date: Sat, 17 Jan 2026 19:21:03 +0100
Subject: [PATCH 2/2] refactor(amd): remove duplicate ccache settings

ccache is already enabled by metacfg.build module

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 systems/x86_64-linux/amd/default.nix | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/systems/x86_64-linux/amd/default.nix b/systems/x86_64-linux/amd/default.nix
index 6af1ef4..c1caf72 100644
--- a/systems/x86_64-linux/amd/default.nix
+++ b/systems/x86_64-linux/amd/default.nix
@@ -1,7 +1,6 @@
 {
   pkgs,
   lib,
-  config,
   ...
 }:
 with lib;
@@ -19,9 +18,6 @@ with lib.metacfg;
     22000
   ];
 
-  programs.ccache.enable = true;
-  nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
-
   services.tailscale.enable = true;
 
   services.cratedocs-mcp.enable = true;