Simon Bruder
b1f4b8b4b5
This can be used to deploy a host that does not have access to the main sops secrets file, e.g. because it does not have an encrypted root partition.
92 lines
2.4 KiB
Nix
92 lines
2.4 KiB
Nix
{ config, inputs, lib, pkgs, ... }:
|
|
let
|
|
# Adapted from https://nixos.wiki/wiki/Overlays
|
|
overlaysCompat = pkgs.writeTextFile {
|
|
name = "overlays-compat";
|
|
destination = "/overlays.nix";
|
|
text = /* nix */ ''
|
|
self: super:
|
|
with super.lib;
|
|
let
|
|
# Load the system config and get the `nixpkgs.overlays` option
|
|
# This fails gracefully if getFlake is not available
|
|
overlays = if builtins.hasAttr "getFlake" builtins
|
|
then (builtins.getFlake "/var/src/config").nixosConfigurations.${config.networking.hostName}.config.nixpkgs.overlays
|
|
else [ ];
|
|
in
|
|
# Apply all overlays to the input of the current "main" overlay
|
|
foldl' (flip extends) (_: super) overlays self
|
|
'';
|
|
};
|
|
in
|
|
{
|
|
sops.secrets = lib.mkIf config.sbruder.trusted {
|
|
binary-cache-secret-key = { };
|
|
nix-netrc = {
|
|
group = "wheel";
|
|
mode = "0440";
|
|
};
|
|
};
|
|
|
|
nix = {
|
|
# nix with flake support
|
|
package = pkgs.nixUnstable;
|
|
|
|
registry = with inputs; {
|
|
nixpkgs.flake = nixpkgs;
|
|
nixpkgs-unstable.flake = nixpkgs-unstable;
|
|
};
|
|
|
|
nixPath = [
|
|
"nixpkgs=${inputs.nixpkgs}"
|
|
"nixpkgs-overlays=${overlaysCompat}"
|
|
];
|
|
# Make sudoers trusted nix users
|
|
trustedUsers = [ "@wheel" ];
|
|
|
|
binaryCaches = [
|
|
"https://nix-cache.sbruder.de/"
|
|
];
|
|
binaryCachePublicKeys = [
|
|
"nix-cache.sbruder.de-1:bU13eF6IMMW2hgO7StgB6JCAoZPeAQ27NAzV0kru1XM="
|
|
];
|
|
|
|
# On-the-fly optimisation of nix store
|
|
autoOptimiseStore = true;
|
|
extraOptions = ''
|
|
experimental-features = nix-command flakes
|
|
'' + lib.optionalString config.sbruder.trusted ''
|
|
# Binary cache upload
|
|
secret-key-files = ${config.sops.secrets.binary-cache-secret-key.path}
|
|
netrc-file = ${config.sops.secrets.nix-netrc.path}
|
|
'' + lib.optionalString config.sbruder.full ''
|
|
# Keep output of derivations with gc root
|
|
keep-outputs = true
|
|
keep-derivations = true
|
|
'';
|
|
|
|
# Make nix build in background less noticeable
|
|
daemonNiceLevel = 10;
|
|
daemonIONiceLevel = 5; # 0-7
|
|
};
|
|
|
|
nixpkgs.overlays = with inputs; [
|
|
self.overlay
|
|
nixpkgs-overlay.overlay
|
|
(final: prev: {
|
|
unstable = import nixpkgs-unstable {
|
|
inherit (config.nixpkgs)
|
|
config
|
|
overlays
|
|
system;
|
|
};
|
|
})
|
|
|
|
AriaNg.overlay
|
|
];
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
cached-nix-shell
|
|
];
|
|
}
|