modules/config: init new module

Signed-off-by: unexplrd <unexplrd@linerds.us>
2025-05-04 16:58:22 +03:00
parent 6ae0a38f62
commit b55a50ada8
42 changed files with 220 additions and 280 deletions
--- a/modules/nixos/config/nix/common.nix
+++ b/modules/nixos/config/nix/common.nix
@ -0,0 +1,39 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  nix = {
+    package = pkgs.lixPackageSets.latest.lix;
+    channel.enable = false;
+    daemonCPUSchedPolicy = "idle";
+    settings = {
+      experimental-features = [
+        "nix-command"
+        "flakes"
+        # for container in builds support
+        "auto-allocate-uids"
+        "cgroups"
+
+        # Enable the use of the fetchClosure built-in function in the Nix language.
+        "fetch-closure"
+
+        # Allow derivation builders to call Nix, and thus build derivations recursively.
+        "recursive-nix"
+
+        # Allow the use of the impure-env setting.
+        # "configurable-impure-env"
+      ];
+    };
+  };
+  # no longer need to pre-allocate build users for everything
+  nix.settings.auto-allocate-uids = lib.mkDefault true;
+  # Needs a patch in Nix to work properly: https://github.com/NixOS/nix/pull/13135
+  nix.settings.use-cgroups = true;
+
+  # for container in builds support
+  nix.settings.system-features =
+    if lib.versionAtLeast lib.version "25.05pre"
+    then ["uid-range"]
+    else lib.mkDefault ["uid-range"];
+}
--- a/modules/nixos/config/nix/default.nix
+++ b/modules/nixos/config/nix/default.nix
@ -0,0 +1,7 @@
+{
+  imports = [
+    ./common.nix
+    ./substituters.nix
+    # ./ssh-serve.nix
+  ];
+}
--- a/modules/nixos/config/nix/distributed-build.nix
+++ b/modules/nixos/config/nix/distributed-build.nix
@ -0,0 +1,30 @@
+{
+  config,
+  inputs,
+  ...
+}: let
+  inherit (builtins) readFile;
+  inherit (config.networking) hostName;
+  inherit (config.sops) secrets;
+  inherit (inputs) mysecrets;
+  pubHost = readFile "${mysecrets}/ssh/ssh_host_ed25519_dunamis.base64";
+in {
+  nix = {
+    distributedBuilds = true;
+    buildMachines = [
+      {
+        hostName = "dunamis";
+        publicHostKey = pubHost;
+        sshKey = secrets."ssh-${hostName}-user".path;
+        sshUser = "nix-ssh";
+        supportedFeatures = [
+          "benchmark"
+          "big-parallel"
+          "kvm"
+          "nixos-test"
+        ];
+        system = "x86_64-linux";
+      }
+    ];
+  };
+}
--- a/modules/nixos/config/nix/ssh-serve.nix
+++ b/modules/nixos/config/nix/ssh-serve.nix
@ -0,0 +1,11 @@
+{config, ...}: let
+  inherit (builtins) readFile;
+  inherit (config.users.users) user;
+in {
+  nix.settings.trusted-users = ["nix-ssh"];
+  nix.sshServe = {
+    enable = true;
+    write = true;
+    keys = map (f: readFile f) user.openssh.authorizedKeys.keyFiles;
+  };
+}
--- a/modules/nixos/config/nix/substituters.nix
+++ b/modules/nixos/config/nix/substituters.nix
@ -0,0 +1,16 @@
+{
+  nix.settings = {
+    substituters = [
+      "https://cache.nixos.org/"
+      "https://chaotic-nyx.cachix.org/"
+      "https://cosmic.cachix.org/"
+      "https://nix-community.cachix.org/"
+    ];
+    trusted-public-keys = [
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
+      "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+  };
+}