update nix

2025-09-01 15:10:31 -04:00
parent cc045f225b
commit 93b7c6ee25
22 changed files with 303 additions and 20 deletions
--- a/modules/darwin/default.nix
+++ b/modules/darwin/default.nix
@@ -0,0 +1,8 @@
+{
+  config = {
+    home-manager = {
+      useGlobalPkgs = true;
+      useUserPackages = true;
+    };
+  };
+}
--- a/modules/darwin/nix/default.nix
+++ b/modules/darwin/nix/default.nix
@@ -0,0 +1,102 @@
+{ config, lib, pkgs, inputs, namespace, host, ... }:
+let
+  inherit (lib) types mkIf;
+  inherit (lib.${namespace}) mkBoolOpt mkOpt;
+
+  cfg = config.${namespace}.nix;
+in
+{
+  options.${namespace}.nix = {
+    enable = mkBoolOpt true "Whether or not to manage nix configuration.";
+    package = mkOpt types.package pkgs.nixVersions.latest "Which nix package to use.";
+  };
+
+  config = mkIf cfg.enable {
+    nix =
+      let
+        mappedRegistry = lib.pipe inputs [
+          (lib.filterAttrs (_: lib.isType "flake"))
+          (lib.mapAttrs (_: flake: { inherit flake; }))
+          (x: x // {
+            nixpkgs.flake = if pkgs.stdenv.hostPlatform.isLinux then inputs.nixpkgs else inputs.nixpkgs-unstable;
+          })
+          (x: if pkgs.stdenv.hostPlatform.isDarwin then lib.removeAttrs x [ "nixpkgs-unstable" ] else x)
+        ];
+        users = [
+          "root"
+          "@wheel"
+          "nix-builder"
+          "evanreichard"
+        ];
+      in
+      {
+        inherit (cfg) package;
+
+        buildMachines = lib.optional (config.${namespace}.security.sops.enable && host != "nixos-builder") {
+          hostName = "10.0.50.130";
+          systems = [ "x86_64-linux" ];
+          sshUser = "evanreichard";
+          protocol = "ssh";
+          sshKey = config.sops.secrets.builder_ssh_key.path;
+          supportedFeatures = [
+            "benchmark"
+            "big-parallel"
+            "nixos-test"
+            "kvm"
+          ];
+        };
+
+        checkConfig = true;
+        distributedBuilds = true;
+        optimise.automatic = true;
+        registry = lib.mkForce mappedRegistry;
+
+        gc = {
+          automatic = true;
+          options = "--delete-older-than 7d";
+        };
+
+        settings = {
+          connect-timeout = 5;
+          allowed-users = users;
+          max-jobs = "auto";
+          auto-optimise-store = pkgs.stdenv.hostPlatform.isLinux;
+          builders-use-substitutes = true;
+          experimental-features = [
+            "nix-command"
+            "flakes "
+          ];
+          flake-registry = "/etc/nix/registry.json";
+          http-connections = 50;
+          keep-derivations = true;
+          keep-going = true;
+          keep-outputs = true;
+          log-lines = 50;
+          sandbox = true;
+          trusted-users = users;
+          warn-dirty = false;
+          use-xdg-base-directories = true;
+
+          substituters = [
+            "https://anyrun.cachix.org"
+            "https://cache.nixos.org"
+            "https://hyprland.cachix.org"
+            "https://nix-community.cachix.org"
+            "https://nixpkgs-unfree.cachix.org"
+            "https://nixpkgs-wayland.cachix.org"
+            "https://numtide.cachix.org"
+          ];
+
+          trusted-public-keys = [
+            "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
+            "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+            "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+            "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+            "nixpkgs-unfree.cachix.org-1:hqvoInulhbV4nJ9yJOEr+4wxhDV4xq2d1DK7S6Nj6rs="
+            "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
+            "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
+          ];
+        };
+      };
+  };
+}
--- a/modules/darwin/security/sops/default.nix
+++ b/modules/darwin/security/sops/default.nix
@@ -0,0 +1,31 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib.${namespace}) mkOpt;
+
+  cfg = config.${namespace}.security.sops;
+in
+{
+  options.${namespace}.security.sops = {
+    enable = lib.mkEnableOption "sops";
+    defaultSopsFile = mkOpt lib.types.path null "Default sops file.";
+    sshKeyPaths = mkOpt (with lib.types; listOf path) [
+      "/etc/ssh/ssh_host_ed25519_key"
+    ] "SSH Key paths to use.";
+  };
+
+  config = lib.mkIf cfg.enable {
+    sops = {
+      inherit (cfg) defaultSopsFile;
+
+      age = {
+        inherit (cfg) sshKeyPaths;
+
+        keyFile = "${config.users.users.${config.${namespace}.user.name}.home}/.config/sops/age/keys.txt";
+      };
+    };
+
+    sops.secrets.builder_ssh_key = {
+      sopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
+    };
+  };
+}
--- a/modules/darwin/services/openssh/default.nix
+++ b/modules/darwin/services/openssh/default.nix
@@ -0,0 +1,20 @@
+{ config, namespace, lib, ... }:
+let
+  inherit (lib.${namespace}) mkOpt;
+
+  cfg = config.${namespace}.security.sops;
+in
+{
+  options.${namespace}.services.openssh = with lib.types; {
+    enable = lib.mkEnableOption "OpenSSH support";
+    authorizedKeys = mkOpt (listOf str) [ ] "The public keys to apply.";
+    extraConfig = mkOpt str "" "Extra configuration to apply.";
+    port = mkOpt port 2222 "The port to listen on (in addition to 22).";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.openssh = {
+      enable = true;
+    };
+  };
+}
--- a/modules/darwin/user/default.nix
+++ b/modules/darwin/user/default.nix
@@ -0,0 +1,23 @@
+{ config, lib, namespace, pkgs, ... }:
+let
+  inherit (lib) types mkIf;
+  inherit (lib.${namespace}) mkOpt;
+
+  cfg = config.${namespace}.user;
+in
+{
+  options.${namespace}.user = with types; {
+    name = mkOpt str "evanreichard" "The name to use for the user account.";
+    email = mkOpt str "evan@reichard.io" "The email of the user.";
+    fullName = mkOpt str "Evan Reichard" "The full name of the user.";
+    uid = mkOpt (types.nullOr types.int) 501 "The uid for the user account.";
+  };
+
+  config = {
+    users.users.${cfg.name} = {
+      uid = mkIf (cfg.uid != null) cfg.uid;
+      shell = pkgs.bashInteractive;
+      home = "/Users/${cfg.name}";
+    };
+  };
+}
--- a/modules/home/programs/graphical/ghostty/default.nix
+++ b/modules/home/programs/graphical/ghostty/default.nix
@@ -18,6 +18,11 @@ in
        flush_dns = "sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder";
      };
      profileExtra = ''
+        # Source Nix daemon
+        # if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then
+        #   . '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh'
+        # fi
+
        SHELL="$BASH"
        PATH=~/.bin:$PATH
        bind "set show-mode-in-prompt on"
--- a/modules/home/services/sops/default.nix
+++ b/modules/home/services/sops/default.nix
@@ -28,14 +28,6 @@ in
        keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
        sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ] ++ cfg.sshKeyPaths;
      };
-
-      # TODO
-      # secrets = {
-      #   nix = {
-      #     sopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
-      #     path = "${config.home.homeDirectory}/.config/nix/nix.conf";
-      #   };
-      # };
    };
  };
 }
--- a/modules/nixos/services/openssh/default.nix
+++ b/modules/nixos/services/openssh/default.nix
@@ -12,6 +12,8 @@ let
  authorizedKeys = [
    # evanreichard@lin-va-mbp-personal
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY"
+    # evanreichard@mac-va-mbp-personal
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWj6rd6uDtHj/gGozgIEgxho/vBKebgN5Kce/N6vQWV"
    # evanreichard@lin-va-thinkpad
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5JQr/6WJMIHhR434nK95FrDmf2ApW2Ahd2+cBKwDz"
  ];