snowfall migration

modules/nixos/nix/default.nix

@@ -0,0 +1,102 @@
+{ config, lib, pkgs, inputs, namespace, host, ... }:
+let
+  inherit (lib) types mkIf;
+  inherit (lib.${namespace}) mkBoolOpt mkOpt;
+
+  cfg = config.${namespace}.nix;
+in
+{
+  options.${namespace}.nix = {
+    enable = mkBoolOpt true "Whether or not to manage nix configuration.";
+    package = mkOpt types.package pkgs.nixVersions.latest "Which nix package to use.";
+  };
+
+  config = mkIf cfg.enable {
+    nix =
+      let
+        mappedRegistry = lib.pipe inputs [
+          (lib.filterAttrs (_: lib.isType "flake"))
+          (lib.mapAttrs (_: flake: { inherit flake; }))
+          (x: x // {
+            nixpkgs.flake = if pkgs.stdenv.hostPlatform.isLinux then inputs.nixpkgs else inputs.nixpkgs-unstable;
+          })
+          (x: if pkgs.stdenv.hostPlatform.isDarwin then lib.removeAttrs x [ "nixpkgs-unstable" ] else x)
+        ];
+        users = [
+          "root"
+          "@wheel"
+          "nix-builder"
+          "evanreichard"
+        ];
+      in
+      {
+        inherit (cfg) package;
+
+        buildMachines = lib.optional (config.${namespace}.security.sops.enable && host != "nixos-builder") {
+          hostName = "10.0.50.130";
+          systems = [ "x86_64-linux" ];
+          sshUser = "evanreichard";
+          protocol = "ssh";
+          sshKey = config.sops.secrets.builder_ssh_key.path;
+          supportedFeatures = [
+            "benchmark"
+            "big-parallel"
+            "nixos-test"
+            "kvm"
+          ];
+        };
+
+        checkConfig = true;
+        distributedBuilds = true;
+        optimise.automatic = true;
+        registry = mappedRegistry;
+
+        gc = {
+          automatic = true;
+          options = "--delete-older-than 7d";
+        };
+
+        settings = {
+          connect-timeout = 5;
+          allowed-users = users;
+          max-jobs = "auto";
+          auto-optimise-store = pkgs.stdenv.hostPlatform.isLinux;
+          builders-use-substitutes = true;
+          experimental-features = [
+            "nix-command"
+            "flakes "
+          ];
+          flake-registry = "/etc/nix/registry.json";
+          http-connections = 50;
+          keep-derivations = true;
+          keep-going = true;
+          keep-outputs = true;
+          log-lines = 50;
+          sandbox = true;
+          trusted-users = users;
+          warn-dirty = false;
+          use-xdg-base-directories = true;
+
+          substituters = [
+            "https://anyrun.cachix.org"
+            "https://cache.nixos.org"
+            "https://hyprland.cachix.org"
+            "https://nix-community.cachix.org"
+            "https://nixpkgs-unfree.cachix.org"
+            "https://nixpkgs-wayland.cachix.org"
+            "https://numtide.cachix.org"
+          ];
+
+          trusted-public-keys = [
+            "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
+            "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+            "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+            "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+            "nixpkgs-unfree.cachix.org-1:hqvoInulhbV4nJ9yJOEr+4wxhDV4xq2d1DK7S6Nj6rs="
+            "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
+            "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
+          ];
+        };
+      };
+  };
+}