From b746d45bdde2d27becb593c073119305add88201 Mon Sep 17 00:00:00 2001
From: Peder Bergebakken Sundt <pbsds@hotmail.com>
Date: Sun, 15 Jun 2025 02:42:39 +0200
Subject: [PATCH] ljdsalkjdsalkjdaj

---
 profiles/base/default.nix | 37 ++---------------------
 profiles/base/nix.nix     | 63 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+), 34 deletions(-)
 create mode 100644 profiles/base/nix.nix

diff --git a/profiles/base/default.nix b/profiles/base/default.nix
index 8cf696b..444cfe2 100644
--- a/profiles/base/default.nix
+++ b/profiles/base/default.nix
@@ -6,6 +6,7 @@
   imports = let ifExists = p: if builtins.pathExists p then p else {}; in [
     ./../../secrets
     ./cachix.nix # update with `nix run nixpkgs#cachix -- use --mode nixos -d . FOOBAR`
+    ./nix.nix
     ./lix.nix
     ./locale-no.nix
     ./upgrade-diff.nix
@@ -64,7 +65,7 @@
 
   boot.initrd.systemd.enable = true; # systemd manages initfs boot, systemd-analyse can see what happened
   # https://discourse.nixos.org/t/what-to-do-with-a-full-boot-partition/2049
-  # raise to 15 if auto upgrading
+  # raised to 15 if auto upgrading by auto-upgrade.nix
   boot.loader.grub.configurationLimit = lib.mkDefault 5;
   boot.loader.systemd-boot.configurationLimit = lib.mkDefault 5;
   boot.loader.generic-extlinux-compatible.configurationLimit = lib.mkDefault 5;
@@ -75,38 +76,6 @@
   #networking.networkmanager.wifi.backend = "iwd"; # default is wpa_supplicant, iwd doesn't support eduroam
   networking.firewall.logRefusedConnections = false; # too spammy, rotates dmesg too quickly
 
-  sops.secrets.nix-access-tokens = {};
-  sops.secrets.nix-access-tokens-all.mode = "0440";
-  sops.secrets.nix-access-tokens-all.group = config.users.groups."keys".name;
-  nix.extraOptions = ''
-    !include ${config.sops.secrets.nix-access-tokens.path}
-    !include ${config.sops.secrets.nix-access-tokens-all.path}
-  '';
-
-  nix.settings.experimental-features = [
-    "nix-command"
-    "flakes"
-    /* "pipe-operator" # not supported on lix 2.91 */
-  ];
-  #nix.settings.allowed-users = [ "@builders" ]; # TODO: this
-  nix.settings.allowed-users = [ "root" "@wheel" ]; # default is [ "*" ]
-  nix.settings.trusted-users = [ "root" "@wheel" ];
-  nix.settings.keep-derivations = true; # keep .drv in store, great with nix-diff
-  nix.settings.auto-optimise-store = true; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
-  nix.settings.max-silent-time = 3600;
-  nix.settings.connect-timeout = 5; # seconds timeout for binary caches
-  #nix.settings.keep-failed = true; # fills up $TMPDIR
-  nix.settings.log-lines = 35;
-  #nix.optimize.automatic = true; # periodic optimization
-  nix.gc.automatic = true;
-  nix.gc.dates     = "weekly";
-  nix.gc.options   = lib.mkIf config.system.autoUpgrade.enable "--delete-older-than 15d";
-  nix.settings.min-free =  3 * 1024 * 1024 * 1024; # starts cg
-  nix.settings.max-free = 20 * 1024 * 1024 * 1024; # condition to end gc triggered by min-free
-
-  # should not be needed since https://github.com/NixOS/nixpkgs/pull/383052
-  nix.settings.system-features = lib.mkIf (pkgs.stdenv.hostPlatform.system == "x86_64-linux" && (lib.versionOlder (lib.versions.majorMinor lib.version) "25.05")) [ "nixos-test" "big-parallel" "kvm" ];
-
   security.sudo.execWheelOnly = true;
 
   services.thermald.enable = lib.all (x: x) [
@@ -135,7 +104,7 @@
   };
 
   # System fonts
-  # Nice to have when X-forwading on headless machines
+  # Nice to have when X-forwarding on headless machines
   fonts.fontDir.enable = true; # creates /run/current-system/sw/share/X11/fonts
   fonts.enableDefaultPackages = true; # dejavu, freefont, gyre, liberation, unifont, noto-fonts-emoji
   fonts.packages = with pkgs; [
diff --git a/profiles/base/nix.nix b/profiles/base/nix.nix
new file mode 100644
index 0000000..2433a28
--- /dev/null
+++ b/profiles/base/nix.nix
@@ -0,0 +1,63 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+{
+  sops.secrets.nix-access-tokens = { };
+  sops.secrets.nix-access-tokens-all.mode = "0440";
+  sops.secrets.nix-access-tokens-all.group = config.users.groups."keys".name;
+  nix.extraOptions = ''
+    !include ${config.sops.secrets.nix-access-tokens.path}
+    !include ${config.sops.secrets.nix-access-tokens-all.path}
+  '';
+
+  nix.settings = {
+    experimental-features = [
+      "nix-command"
+      "flakes"
+      # "pipe-operator" # not supported on lix 2.91
+    ];
+    #nix.settings.allowed-users = [ "@builders" ]; # TODO: this
+    allowed-users = [
+      # default is [ "*" ]
+      "root"
+      "@wheel"
+    ];
+    trusted-users = [
+      "root"
+      "@wheel"
+    ];
+    keep-derivations = true; # keep .drv in store, great with nix-diff
+    auto-optimise-store = true; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
+    max-silent-time = 3600;
+    connect-timeout = 5; # seconds timeout for binary caches
+    #nix.settings.keep-failed = true; # fills up $TMPDIR
+    log-lines = 35;
+    min-free = 3 * 1024 * 1024 * 1024; # starts cg
+    max-free = 20 * 1024 * 1024 * 1024; # condition to end gc triggered by min-free
+
+    # should not be needed since https://github.com/NixOS/nixpkgs/pull/383052
+    system-features =
+      lib.mkIf
+        (
+          pkgs.stdenv.hostPlatform.system == "x86_64-linux"
+          && (lib.versionOlder (lib.versions.majorMinor lib.version) "25.05")
+        )
+        [
+          "nixos-test"
+          "big-parallel"
+          "kvm"
+        ];
+  };
+
+  nix.gc = {
+    #nix.optimize.automatic = true; # periodic optimization
+    automatic = true;
+    dates = "weekly";
+    options = lib.mkIf config.system.autoUpgrade.enable "--delete-older-than 15d";
+  };
+
+}