56 lines
1.8 KiB
Nix
56 lines
1.8 KiB
Nix
# needs to be kept compatible to both NixOS and nix-darwin
|
|
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
let
|
|
inputs = config.inputInjection.flake-inputs;
|
|
unstable = inputs.nixos-unstable;
|
|
in
|
|
{
|
|
nix = {
|
|
# expose all flake inputs through nix Path and registry
|
|
registry = (lib.mapAttrs (_: value: { flake = value; }) inputs) // {
|
|
nixpkgs.flake = inputs.nixpkgs;
|
|
};
|
|
nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry;
|
|
};
|
|
sops = {
|
|
secrets."nix/access-tokens" = {
|
|
owner = "root";
|
|
mode = "0440";
|
|
sopsFile = ./secrets.yaml;
|
|
};
|
|
templates.nix-secrets = {
|
|
content = ''
|
|
access-tokens = ${config.sops.placeholder."nix/access-tokens"}
|
|
'';
|
|
owner = "root";
|
|
# secret needs to be readable by users (nix client) as well as nix-daemon (running as root)
|
|
group = if pkgs.stdenv.isDarwin then "localaccounts" else "users";
|
|
mode = "0440";
|
|
};
|
|
};
|
|
nix.settings = builtins.mapAttrs (_: lib.mkDefault) {
|
|
# keep around all inputs necessary for offline-rebuilding the system
|
|
keep-outputs = true;
|
|
keep-derivations = true;
|
|
trusted-users = [ "spiollinux" ];
|
|
experimental-features = [
|
|
"nix-command"
|
|
"flakes"
|
|
];
|
|
# use all cores for building
|
|
cores = 0;
|
|
#auto-optimise-store = true;
|
|
};
|
|
nix.optimise.automatic = true; # temporary workaround until Lix/ Nix bug is fixed https://github.com/nix-darwin/nix-darwin/blob/e95de00a471d07435e0527ff4db092c84998698e/modules/nix/default.nix#L817C39-L817C78
|
|
# TODO: manage access token with sops instead of manual deployment
|
|
# permissions: needs to be readable by the user invoking nix and root (for nix daemon)
|
|
nix.extraOptions = ''
|
|
!include ${config.sops.templates.nix-secrets.path}
|
|
'';
|
|
}
|