nixos-config/modules/nix.nix

{ config, lib, pkgs, ... }:
let
  # Taken from https://nixos.wiki/wiki/Overlays
  overlaysCompat = pkgs.writeTextFile {
    name = "overlays-compat";
    destination = "/overlays.nix";
    text = ''
      self: super:
      with super.lib;
      let
        # Load the system config and get the `nixpkgs.overlays` option
        overlays = (import <nixpkgs/nixos> { }).config.nixpkgs.overlays;
      in
        # Apply all overlays to the input of the current "main" overlay
        foldl' (flip extends) (_: super) overlays self
    '';
  };
in
{
  sops.secrets.binary-cache-secret-key = { };
  sops.secrets.nix-netrc = {
    group = "wheel";
    mode = "0440";
  };

  nix = {
    nixPath = [
      "/var/src" # pinned nixpkgs and configuration
      "nixpkgs=/var/src/nixpkgs" # for nix run
      "nixpkgs-overlays=${overlaysCompat}"
    ];
    # Make sudoers trusted nix users
    trustedUsers = [ "@wheel" ];

    binaryCaches = [
      "https://nix-cache.sbruder.de/"
    ];
    binaryCachePublicKeys = [
      "nix-cache.sbruder.de-1:bU13eF6IMMW2hgO7StgB6JCAoZPeAQ27NAzV0kru1XM="
    ];

    # On-the-fly optimisation of nix store
    autoOptimiseStore = true;
    extraOptions = ''
      # Binary cache upload
      secret-key-files = ${config.sops.secrets.binary-cache-secret-key.path}
      netrc-file = ${config.sops.secrets.nix-netrc.path}
    '' + lib.optionalString config.sbruder.full ''
      # Keep output of derivations with gc root
      keep-outputs = true
      keep-derivations = true
    '';

    # Make nix build in background less noticeable
    daemonNiceLevel = 10;
    daemonIONiceLevel = 5; # 0-7
  };

  nixpkgs.overlays = [
    (import ../pkgs)
    (final: prev: {
      unstable = import (import ../nix/sources.nix).nixpkgs-unstable {
        config = config.nixpkgs.config;
        overlays = config.nixpkgs.overlays;
      };
    })
  ];
}
nix: Make netrc readable by wheel group This also splits the nix configuration from the default module into its own file. 2021-04-09 11:34:49 +02:00			`{ config, lib, pkgs, ... }:`
			`let`
			`# Taken from https://nixos.wiki/wiki/Overlays`
			`overlaysCompat = pkgs.writeTextFile {`
			`name = "overlays-compat";`
			`destination = "/overlays.nix";`
			`text = ''`
			`self: super:`
			`with super.lib;`
			`let`
			# Load the system config and get the `nixpkgs.overlays` option
			`overlays = (import <nixpkgs/nixos> { }).config.nixpkgs.overlays;`
			`in`
			`# Apply all overlays to the input of the current "main" overlay`
			`foldl' (flip extends) (_: super) overlays self`
			`'';`
			`};`
			`in`
			`{`
			`sops.secrets.binary-cache-secret-key = { };`
			`sops.secrets.nix-netrc = {`
			`group = "wheel";`
			`mode = "0440";`
			`};`

			`nix = {`
			`nixPath = [`
			`"/var/src" # pinned nixpkgs and configuration`
			`"nixpkgs=/var/src/nixpkgs" # for nix run`
			`"nixpkgs-overlays=${overlaysCompat}"`
			`];`
			`# Make sudoers trusted nix users`
			`trustedUsers = [ "@wheel" ];`

			`binaryCaches = [`
			`"https://nix-cache.sbruder.de/"`
			`];`
			`binaryCachePublicKeys = [`
			`"nix-cache.sbruder.de-1:bU13eF6IMMW2hgO7StgB6JCAoZPeAQ27NAzV0kru1XM="`
			`];`

			`# On-the-fly optimisation of nix store`
			`autoOptimiseStore = true;`
			`extraOptions = ''`
			`# Binary cache upload`
			`secret-key-files = ${config.sops.secrets.binary-cache-secret-key.path}`
			`netrc-file = ${config.sops.secrets.nix-netrc.path}`
			`'' + lib.optionalString config.sbruder.full ''`
			`# Keep output of derivations with gc root`
			`keep-outputs = true`
			`keep-derivations = true`
			`'';`

			`# Make nix build in background less noticeable`
			`daemonNiceLevel = 10;`
			`daemonIONiceLevel = 5; # 0-7`
			`};`

			`nixpkgs.overlays = [`
			`(import ../pkgs)`
			`(final: prev: {`
			`unstable = import (import ../nix/sources.nix).nixpkgs-unstable {`
			`config = config.nixpkgs.config;`
			`overlays = config.nixpkgs.overlays;`
			`};`
			`})`
			`];`
			`}`