config/base.nix

73 lines
2.9 KiB
Nix
Raw Normal View History

{ config, pkgs, lib, inputs, ... }:
2023-02-25 04:39:30 +01:00
{
imports = [
./cachix.nix
./profiles/locale-no.nix
2023-03-12 05:14:28 +01:00
# results of 'nixos-generate-config'
# nice to have if i just dump this flake into /etc/nixos on a clean install
(if builtins.pathExists ./configuration.nix
then ./configuration.nix
else {}
)
2023-02-25 04:39:30 +01:00
(if builtins.pathExists ./hardware-configuration.nix
2023-03-12 05:14:28 +01:00
then ./hardware-configuration.nix
2023-02-25 04:39:30 +01:00
else {}
)
];
nixpkgs.config.allowUnfree = true;
nixpkgs.config.allowUnfreePredicate = (pkg: true);
2023-03-03 02:24:07 +01:00
nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg
2023-02-25 04:39:30 +01:00
# 'nixos-rebuild switch --upgrade', by default daily with no reboot
2023-02-26 21:15:08 +01:00
system.autoUpgrade.enable = true;
#system.autoUpgrade.allowReboot = true; # reboot after a kernel (module) or initrd upgrade, consider also setting `rebootWindow`
2023-02-26 21:15:08 +01:00
/** /
2023-02-26 03:53:55 +01:00
# TODO: this doesn't work during 'nix eval' on a non-nixos machine
2023-02-26 21:15:08 +01:00
system.autoUpgrade.flake = "/etc/nixos";
system.autoUpgrade.flags = [
"--recreate-lock-file" # fetch new inputs
#"--commit-lock-file" # commit new lock to local git repo
# TODO: can i somehow first do a git pull --rebase --autostash with proper abort handling ?
"-L" # print build logs
];
#assertions = [
# { assertion = builtins.pathExists "/etc/nixos/flake.nix"; message = "You have yet to test systems without a flake in /etc/nixos"; }
#];
2023-02-26 21:15:08 +01:00
/**/
2023-03-03 21:42:29 +01:00
# TODO: make /etc/nixos a symlink to the in-store flake? - bad idea, horrible error recovery
2023-03-03 21:57:37 +01:00
# TODO: make /etc/nixos a checkout of repo?
# TODO: update only nixpkgs and unstable
2023-02-26 21:15:08 +01:00
system.autoUpgrade.flake = inputs.self.outPath; # a nix store path
#system.autoUpgrade.flake = "github:pbsds/nix-config"; # TODO: use this instead?
system.autoUpgrade.flags = [
"--recreate-lock-file" # fetch new inputs
"--no-write-lock-file" # no write new flakelock, as the in-store flake is read-only
"-L" # print build logs
];
2023-03-03 02:24:07 +01:00
environment.etc."current-system-flake".source = inputs.self; # the plan was to allow me to locate the new flake.lock, but alas https://github.com/NixOS/nix/issues/6895
2023-02-26 21:15:08 +01:00
/**/
2023-02-25 04:39:30 +01:00
2023-03-09 09:31:53 +01:00
environment.shells = with pkgs; [ bash zsh ];
2023-03-11 00:30:24 +01:00
nix.settings.allowed-users = [ "*" ]; # default
#nix.settings.allowed-users = [ "@nixbld" "@builders" ]; # TODO: this
nix.settings.trusted-users = [ "root" "@wheel" ];
2023-02-25 04:39:30 +01:00
nix.settings.auto-optimise-store = true; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
#nix.optimize.automatic = true; # periodic optimization
nix.gc.automatic = true;
nix.gc.dates = "weekly";
nix.gc.options = "--delete-older-than 30d";
# TODO: can i make this non-string?
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
# TODO: only if x86_64?
services.thermald.enable = true;
# firewall
services.fail2ban.enable = config.services.openssh.enable;
networking.firewall.enable = true; # default
}