201 lines
5.2 KiB
Nix
201 lines
5.2 KiB
Nix
{
|
|
inputs,
|
|
self,
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
secrets,
|
|
username,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.my.nix;
|
|
in
|
|
{
|
|
options.my.nix = {
|
|
enable = lib.mkEnableOption "default nix settings";
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
# This will add each flake input as a registry
|
|
# To make nix3 commands consistent with your flake
|
|
nix.registry = (lib.mapAttrs (_: flake: { inherit flake; })) (
|
|
((lib.filterAttrs (_: lib.isType "flake")) inputs) // { flake = self; }
|
|
);
|
|
|
|
# This will additionally add your inputs to the system's legacy channels
|
|
# Making legacy nix commands consistent as well, awesome!
|
|
nix.nixPath = [ "/etc/nix/path" ];
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
nix-output-monitor
|
|
nh
|
|
];
|
|
|
|
environment.etc =
|
|
(lib.mapAttrs' (name: value: {
|
|
name = "nix/path/${name}";
|
|
value.source = value.flake;
|
|
}) config.nix.registry)
|
|
// {
|
|
"nix/nix-racer.toml".source = (pkgs.formats.toml { }).generate "nix-racer.toml" {
|
|
listen = "127.0.0.1:2048";
|
|
substituters = [
|
|
{
|
|
penalty = 0;
|
|
url = "https://mirror.sjtu.edu.cn/nix-channels/store";
|
|
}
|
|
{
|
|
penalty = 50;
|
|
url = "https://mirrors.ustc.edu.cn/nix-channels/store";
|
|
}
|
|
{
|
|
penalty = 0;
|
|
url = "https://nix-community.cachix.org";
|
|
}
|
|
{
|
|
penalty = 0;
|
|
url = "https://cache.garnix.io";
|
|
}
|
|
{
|
|
penalty = 100;
|
|
url = "https://cache.nixos.org";
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
systemd.services.nix-racer = {
|
|
description = "Nix substituter proxy with parallel cache queries and latency-aware selection";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network-online.target" ];
|
|
wants = [ "network-online.target" ];
|
|
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
ExecStart = "${lib.getExe (pkgs.callPackage ./nix-racer/_package.nix { })}";
|
|
Restart = "on-failure";
|
|
RestartSec = 5;
|
|
|
|
DynamicUser = true;
|
|
CapabilityBoundingSet = [ "" ];
|
|
DeviceAllow = "";
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
NoNewPrivileges = true;
|
|
PrivateDevices = true;
|
|
PrivateTmp = true;
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHome = true;
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectSystem = "strict";
|
|
RestrictAddressFamilies = [
|
|
"AF_INET"
|
|
"AF_INET6"
|
|
];
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
"~@resources"
|
|
"~@privileged"
|
|
];
|
|
UMask = "0077";
|
|
};
|
|
};
|
|
|
|
nix.settings = {
|
|
experimental-features = "nix-command flakes pipe-operators";
|
|
substituters = lib.mkForce [
|
|
"http://127.0.0.1:2048"
|
|
|
|
# "https://mirrors.ustc.edu.cn/nix-channels/store"
|
|
# "https://mirrors.sjtug.sjtu.edu.cn/nix-channels/store"
|
|
# "https://mirror.sjtu.edu.cn/nix-channels/store"
|
|
# "https://nix-community.cachix.org"
|
|
# "https://cache.garnix.io"
|
|
];
|
|
trusted-public-keys = [
|
|
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
|
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
|
|
];
|
|
download-buffer-size = 536870912; # 512 MiB
|
|
warn-dirty = false;
|
|
};
|
|
|
|
sops.secrets.nix-github-token = {
|
|
sopsFile = secrets.nix-github-token;
|
|
format = "binary";
|
|
owner = username;
|
|
group = "users";
|
|
mode = "0400";
|
|
};
|
|
|
|
my.hm = {
|
|
nix.extraOptions = ''
|
|
!include ${config.sops.secrets.nix-github-token.path}
|
|
'';
|
|
|
|
home.packages = with pkgs; [
|
|
nixd
|
|
nixfmt
|
|
];
|
|
|
|
xdg.configFile."direnv/lib/angrr.sh".source =
|
|
"${config.services.angrr.package}/share/direnv/lib/angrr.sh";
|
|
|
|
programs.direnv.stdlib = ''
|
|
use angrr
|
|
'';
|
|
};
|
|
|
|
# uncomment to enable auto gc
|
|
/*
|
|
nix.gc = {
|
|
automatic = true;
|
|
dates = "weekly";
|
|
options = "--delete-older-than 30d";
|
|
};
|
|
*/
|
|
|
|
services.angrr = {
|
|
enable = true;
|
|
settings = {
|
|
temporary-root-policies = {
|
|
direnv = {
|
|
path-regex = "/\\.direnv/";
|
|
period = "14d";
|
|
};
|
|
result = {
|
|
path-regex = "/result[^/]*$";
|
|
period = "3d";
|
|
};
|
|
};
|
|
profile-policies = {
|
|
system = {
|
|
profile-paths = [ "/nix/var/nix/profiles/system" ];
|
|
keep-since = "14d";
|
|
keep-latest-n = 5;
|
|
keep-booted-system = true;
|
|
keep-current-system = true;
|
|
};
|
|
user = {
|
|
profile-paths = [
|
|
"~/.local/state/nix/profiles/profile"
|
|
"/nix/var/nix/profiles/per-user/root/profile"
|
|
];
|
|
keep-since = "14d";
|
|
keep-latest-n = 5;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|