From f47505af0b363a480e7e0b5184b6f559a2470fa5 Mon Sep 17 00:00:00 2001 From: Evan Reichard Date: Sun, 8 Feb 2026 11:02:36 -0500 Subject: [PATCH] build: add determinate nix support for darwin - Add determinateSystems/determinate flake input - Include determinate darwin modules in configuration - Disable legacy nix module configuration - Remove modules/darwin/nix/default.nix - Add mac-va-mbp-work system using determinate nix --- flake.lock | 217 +++++++++++++++++- flake.nix | 2 + modules/darwin/default.nix | 1 + modules/darwin/nix/default.nix | 103 --------- .../mac-va-mbp-personal/default.nix | 11 +- .../mac-va-mbp-work/default.nix | 11 + 6 files changed, 230 insertions(+), 115 deletions(-) delete mode 100644 modules/darwin/nix/default.nix create mode 100644 systems/aarch64-darwin/mac-va-mbp-work/default.nix diff --git a/flake.lock b/flake.lock index 249b169..60d0bf7 100755 --- a/flake.lock +++ b/flake.lock @@ -42,9 +42,67 @@ "type": "github" } }, + "determinate": { + "inputs": { + "determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin", + "determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux", + "determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux", + "nix": "nix", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1770325739, + "narHash": "sha256-TPDWnhzKW/1+FPMiagZ9mZiQN0aKcGC09yYSUBuv8Mo=", + "owner": "determinatesystems", + "repo": "determinate", + "rev": "1b3259b71c81508ffd409114525df6a55c0f337f", + "type": "github" + }, + "original": { + "owner": "determinatesystems", + "repo": "determinate", + "type": "github" + } + }, + "determinate-nixd-aarch64-darwin": { + "flake": false, + "locked": { + "narHash": "sha256-zK2dgNHh/p92rk5jN+Y1LOMn0HEdTsS+7XXwb2g52oM=", + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.2/macOS" + }, + "original": { + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.2/macOS" + } + }, + "determinate-nixd-aarch64-linux": { + "flake": false, + "locked": { + "narHash": "sha256-ckvZP0zFcbzLXWYOJUqYXkKBt0b2IZcQEr7YjEVtwOI=", + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.2/aarch64-linux" + }, + "original": { + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.2/aarch64-linux" + } + }, + "determinate-nixd-x86_64-linux": { + "flake": false, + "locked": { + "narHash": "sha256-8dLtm8FJrpyBmrNpspJj30/6I5HGEfjjXuFqURcZ8pk=", + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.2/x86_64-linux" + }, + "original": { + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.2/x86_64-linux" + } + }, "disko": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1769524058, @@ -98,6 +156,22 @@ } }, "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1650374568, @@ -113,6 +187,27 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "determinate", + "nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1748821116, + "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", + "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", + "revCount": 377, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -150,6 +245,32 @@ "type": "github" } }, + "git-hooks-nix": { + "inputs": { + "flake-compat": "flake-compat_2", + "gitignore": [ + "determinate", + "nix" + ], + "nixpkgs": [ + "determinate", + "nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1747372754, + "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=", + "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46", + "revCount": 1026, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -171,6 +292,27 @@ "type": "github" } }, + "nix": { + "inputs": { + "flake-parts": "flake-parts", + "git-hooks-nix": "git-hooks-nix", + "nixpkgs": "nixpkgs", + "nixpkgs-23-11": "nixpkgs-23-11", + "nixpkgs-regression": "nixpkgs-regression" + }, + "locked": { + "lastModified": 1768960381, + "narHash": "sha256-32oMe1y+kwvIJNiJsIvozTuSmDxcwST06i+0ak+L4AU=", + "rev": "45ce621408cb8c9a724193d5fe858eb839662db8", + "revCount": 24453, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.15.2/019bde75-b4ee-74b2-a812-28dc2ee83d58/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A" + } + }, "nixlib": { "locked": { "lastModified": 1736643958, @@ -209,17 +351,47 @@ }, "nixpkgs": { "locked": { - "lastModified": 1769330179, - "narHash": "sha256-yxgb4AmkVHY5OOBrC79Vv6EVd4QZEotqv+6jcvA212M=", + "lastModified": 1761597516, + "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=", + "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55", + "revCount": 811874, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505" + } + }, + "nixpkgs-23-11": { + "locked": { + "lastModified": 1717159533, + "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "48698d12cc10555a4f3e3222d9c669b884a49dfe", + "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", "repo": "nixpkgs", + "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", + "type": "github" + } + }, + "nixpkgs-regression": { + "locked": { + "lastModified": 1643052045, + "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", "type": "github" } }, @@ -240,6 +412,36 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1768783163, + "narHash": "sha256-tLj4KcRDLakrlpvboTJDKsrp6z2XLwyQ4Zmo+w8KsY4=", + "rev": "bde09022887110deb780067364a0818e89258968", + "revCount": 930106, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.930106%2Brev-bde09022887110deb780067364a0818e89258968/019bd9ed-5f0b-7074-afb0-8bb5e13a7598/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1769330179, + "narHash": "sha256-yxgb4AmkVHY5OOBrC79Vv6EVd4QZEotqv+6jcvA212M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "48698d12cc10555a4f3e3222d9c669b884a49dfe", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { "locked": { "lastModified": 1770056022, "narHash": "sha256-yvCz+Qmci1bVucXEyac3TdoSPMtjqVJmVy5wro6j/70=", @@ -259,11 +461,12 @@ "inputs": { "apple-silicon": "apple-silicon", "darwin": "darwin", + "determinate": "determinate", "disko": "disko", "firefox-addons": "firefox-addons", "home-manager": "home-manager", "nixos-generators": "nixos-generators", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_4", "nixpkgs-unstable": "nixpkgs-unstable", "snowfall-lib": "snowfall-lib", "sops-nix": "sops-nix" @@ -271,7 +474,7 @@ }, "snowfall-lib": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "flake-utils-plus": "flake-utils-plus", "nixpkgs": [ "nixpkgs" diff --git a/flake.nix b/flake.nix index 4b296a7..6352750 100755 --- a/flake.nix +++ b/flake.nix @@ -5,6 +5,7 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; disko.url = "github:nix-community/disko"; + determinate.url = "github:determinatesystems/determinate"; snowfall-lib = { url = "github:snowfallorg/lib"; inputs.nixpkgs.follows = "nixpkgs"; @@ -73,6 +74,7 @@ ./modules/nixos/common ]; darwin = with inputs; [ + determinate.darwinModules.default home-manager.darwinModules.home-manager sops-nix.darwinModules.sops ]; diff --git a/modules/darwin/default.nix b/modules/darwin/default.nix index 649f021..070a8c9 100644 --- a/modules/darwin/default.nix +++ b/modules/darwin/default.nix @@ -1,5 +1,6 @@ { config = { + nix.enable = false; home-manager = { useGlobalPkgs = true; useUserPackages = true; diff --git a/modules/darwin/nix/default.nix b/modules/darwin/nix/default.nix deleted file mode 100644 index 3adffcd..0000000 --- a/modules/darwin/nix/default.nix +++ /dev/null @@ -1,103 +0,0 @@ -{ config, lib, pkgs, inputs, namespace, host, ... }: -let - inherit (lib) types mkIf; - inherit (lib.${namespace}) mkBoolOpt mkOpt; - - cfg = config.${namespace}.nix; -in -{ - options.${namespace}.nix = { - enable = mkBoolOpt true "Whether or not to manage nix configuration."; - usingDeterminate = mkBoolOpt false "Whether we're using determinate nix"; - package = mkOpt types.package pkgs.nixVersions.latest "Which nix package to use."; - }; - - config = mkIf cfg.enable { - nix = - let - mappedRegistry = lib.pipe inputs [ - (lib.filterAttrs (_: lib.isType "flake")) - (lib.mapAttrs (_: flake: { inherit flake; })) - (x: x // { - nixpkgs.flake = if pkgs.stdenv.hostPlatform.isLinux then inputs.nixpkgs else inputs.nixpkgs-unstable; - }) - (x: if pkgs.stdenv.hostPlatform.isDarwin then lib.removeAttrs x [ "nixpkgs-unstable" ] else x) - ]; - users = [ - "root" - "@wheel" - "nix-builder" - "evanreichard" - ]; - in - { - inherit (cfg) package; - - buildMachines = lib.optional (config.${namespace}.security.sops.enable && host != "nixos-builder") { - hostName = "10.0.50.130"; - systems = [ "x86_64-linux" ]; - sshUser = "evanreichard"; - protocol = "ssh"; - sshKey = config.sops.secrets.builder_ssh_key.path; - supportedFeatures = [ - "benchmark" - "big-parallel" - "nixos-test" - "kvm" - ]; - }; - - checkConfig = true; - distributedBuilds = true; - optimise.automatic = !cfg.usingDeterminate; - registry = lib.mkForce mappedRegistry; - - gc = { - automatic = !cfg.usingDeterminate; - options = "--delete-older-than 7d"; - }; - - settings = { - connect-timeout = 5; - allowed-users = users; - max-jobs = "auto"; - auto-optimise-store = pkgs.stdenv.hostPlatform.isLinux; - builders-use-substitutes = true; - experimental-features = [ - "nix-command" - "flakes " - ]; - flake-registry = "/etc/nix/registry.json"; - http-connections = 50; - keep-derivations = true; - keep-going = true; - keep-outputs = true; - log-lines = 50; - sandbox = true; - trusted-users = users; - warn-dirty = false; - use-xdg-base-directories = true; - - substituters = [ - "https://anyrun.cachix.org" - "https://cache.nixos.org" - "https://hyprland.cachix.org" - "https://nix-community.cachix.org" - "https://nixpkgs-unfree.cachix.org" - "https://nixpkgs-wayland.cachix.org" - "https://numtide.cachix.org" - ]; - - trusted-public-keys = [ - "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s=" - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "nixpkgs-unfree.cachix.org-1:hqvoInulhbV4nJ9yJOEr+4wxhDV4xq2d1DK7S6Nj6rs=" - "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" - "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" - ]; - }; - }; - }; -} diff --git a/systems/aarch64-darwin/mac-va-mbp-personal/default.nix b/systems/aarch64-darwin/mac-va-mbp-personal/default.nix index 9370fdc..72c5f3a 100644 --- a/systems/aarch64-darwin/mac-va-mbp-personal/default.nix +++ b/systems/aarch64-darwin/mac-va-mbp-personal/default.nix @@ -1,12 +1,13 @@ { system.stateVersion = 6; - nix.enable = false; + + # System Config + determinateNix = { + enable = true; + nixosVmBasedLinuxBuilder.enable = true; + }; # System Config reichard = { - nix = { - enable = true; - usingDeterminate = true; - }; }; } diff --git a/systems/aarch64-darwin/mac-va-mbp-work/default.nix b/systems/aarch64-darwin/mac-va-mbp-work/default.nix new file mode 100644 index 0000000..4942d19 --- /dev/null +++ b/systems/aarch64-darwin/mac-va-mbp-work/default.nix @@ -0,0 +1,11 @@ +{ + system.stateVersion = 6; + + # System Config + determinateNix = { + enable = true; + nixosVmBasedLinuxBuilder.enable = true; + }; + + reichard = { }; +}