nix.settings.substituters(system-level) & nixConfig.extra-substituers(flake-only)

2026-03-19 16:21:29 +01:00 · 2023-12-09 16:16:22 +08:00
parent abdf6d181b
commit 5237bf31c5
2 changed files with 83 additions and 86 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -1,21 +1,17 @@
 {
  description = "NixOS configuration of Ryan Yin";

-  # flake 为了确保够纯，它不依赖系统自身的 /etc/nix/nix.conf，而是在 flake.nix 中通过 nixConfig 设置
-  # 但是为了确保安全性，flake 默认仅允许直接设置少数 nixConfig 参数，其他参数都需要在执行 nix 命令时指定 `--accept-flake-config`，否则会被忽略
-  # <https://nixos.org/manual/nix/stable/command-ref/conf-file.html>
-  # 如果有些包国内镜像下载不到，它仍然会走国外，这时候就得靠旁路由来解决了。
-  # 临时修改默认网关为旁路由:  sudo ip route add default via 192.168.5.201
-  #                        sudo ip route del default via 192.168.5.201
-  nixConfig = {
-    experimental-features = [ "nix-command" "flakes" ];
-    substituters = [
-      # replace official cache with a mirror located in China
-      "https://mirrors.bfsu.edu.cn/nix-channels/store"
-      "https://cache.nixos.org/"
-    ];
+  ##################################################################################################################
+  #
+  # Want to know Nix in details? Looking for a beginner-friendly tutorial?
+  # Check out https://github.com/ryan4yin/nixos-and-flakes-book !
+  #
+  ##################################################################################################################

-    # nix community's cache server
+  # the nixConfig here only affects the flake itself, not the system configuration!
+  nixConfig = {
+    # substituers will be appended to the default substituters when fetching packages
+    # nix com    extra-substituters = [munity's cache server
    extra-substituters = [
      "https://nix-community.cachix.org"
    ];
@@ -24,63 +20,33 @@
    ];
  };

-  # 这是 flake.nix 的标准格式，inputs 是 flake 的依赖，outputs 是 flake 的输出
-  # inputs 中的每一项都被拉取、构建后，被作为参数传递给 outputs 函数
  inputs = {
-    # flake inputs 有很多种引用方式，应用最广泛的是 github 的引用方式
-
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";      # 使用 nixos-unstable 分支
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    home-manager.url = "github:nix-community/home-manager";
-    #　follows 是　inputs 中的继承语法
-    # 这里使　home-manager 的　nixpkgs 这个 inputs 与当前　flake 的　inputs.nixpkgs 保持一致，避免依赖的　nixpkgs 版本不一致导致问题
    home-manager.inputs.nixpkgs.follows = "nixpkgs";

-    # vscode 插件库
    nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
  };

-  # outputs 的参数都是 inputs 中定义的依赖项，可以通过它们的名称来引用。
-  # 不过 self 是个例外，这个特殊参数指向 outputs 自身（自引用），以及 flake 根目录
-  # 这里的 @ 语法将函数的参数 attribute set 取了个别名，方便在内部使用
-  outputs = inputs@{
-      self,
-      nixpkgs,
-      home-manager,
-      nix-vscode-extensions,
-      ...
+  outputs = inputs @ {
+    self,
+    nixpkgs,
+    home-manager,
+    nix-vscode-extensions,
+    ...
  }: {
-    # 名为 nixosConfigurations 的 outputs 会在执行 `nixos-rebuild switch --flake .` 时被使用
-    # 默认情况下会使用与主机 hostname 同名的 nixosConfigurations，但是也可以通过 `--flake .#<name>` 来指定
    nixosConfigurations = {
-      # hostname 为 nixos-test 的主机会使用这个配置
-      # 这里使用了 nixpkgs.lib.nixosSystem 函数来构建配置，后面的 attributes set 是它的参数
-      # 在 nixos 上使用此命令部署配置：`nixos-rebuild switch --flake .#nixos-test`
      nixos-test = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";

-        # modules 中每个参数，都是一个 NixOS Module <https://nixos.org/manual/nixos/stable/index.html#sec-modularity>
-        # NixOS Module 可以是一个 attribute set，也可以是一个返回 attribute set 的函数
-        # 如果是函数，那么它的参数就是当前的 NixOS Module 的参数.
-        # 根据 Nix Wiki 对 NixOS modules 的描述，NixOS modules 函数的参数可以有这四个（详见本仓库中的 modules 文件）：
-        #
-        #  config: The configuration of the entire system
-        #  options: All option declarations refined with all definition and declaration references.
-        #  pkgs: The attribute set extracted from the Nix package collection and enhanced with the nixpkgs.config option.
-        #  modulesPath: The location of the module directory of NixOS.
-        #
-        # nix flake 的 modules 系统可将配置模块化，提升配置的可维护性
-        # 默认只能传上面这四个参数，如果需要传其他参数，必须使用 specialArgs
        modules = [
          ./hosts/nixos-test

-          # home-manager 作为 nixos 的一个 module
-          # 这样在 nixos-rebuild switch 时，home-manager 也会被自动部署，不需要额外执行 home-manager switch 命令
          home-manager.nixosModules.home-manager
          {
            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;

-            # 使用 home-manager.extraSpecialArgs 自定义传递给 ./home 的参数
            home-manager.extraSpecialArgs = inputs;
            home-manager.users.ryan = import ./home;
          }
@@ -93,23 +59,16 @@
        modules = [
          ./hosts/msi-rtx4090

-          # home-manager 作为 nixos 的一个 module
-          # 这样在 nixos-rebuild switch 时，home-manager 也会被自动部署，不需要额外执行 home-manager switch 命令
          home-manager.nixosModules.home-manager
          {
            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;

-            # 使用 home-manager.extraSpecialArgs 自定义传递给 ./home 的参数
            home-manager.extraSpecialArgs = inputs;
            home-manager.users.ryan = import ./home;
          }
        ];
      };
-
-
-      # 如果你在 x86_64-linux 平台上执行 nix build，那么默认会使用这个配置，或者也能通过 `.#<name>` 参数来指定非 default 的配置
-      # packages.x86_64-linux.default =
    };
  };
 }
--- a/modules/system.nix
+++ b/modules/system.nix
@@ -1,6 +1,58 @@
-{ config, pkgs, ... }:
-
 {
+  pkgs,
+  lib,
+  ...
+}: let
+  username = "ryan";
+in {
+
+  # ============================= User related =============================
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.ryan = {
+    isNormalUser = true;
+    description = "ryan";
+    extraGroups = [ "networkmanager" "wheel" ];
+    openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj admin@ryan-MBP"
+    ];
+  };
+    # given the users in this list the right to specify additional substituters via:
+    #    1. `nixConfig.substituers` in `flake.nix`
+    #    2. command line args `--options substituers http://xxx`
+  nix.settings.trusted-users = [username];
+
+  # customise /etc/nix/nix.conf declaratively via `nix.settings`
+  nix.settings = {
+    # enable flakes globally
+    experimental-features = ["nix-command" "flakes"];
+
+    substituters = [
+      # cache mirror located in China
+      # status: https://mirror.sjtu.edu.cn/
+      "https://mirror.sjtu.edu.cn/nix-channels/store"
+      # status: https://mirrors.ustc.edu.cn/status/
+      # "https://mirrors.ustc.edu.cn/nix-channels/store"
+
+      "https://cache.nixos.org"
+    ];
+
+    trusted-public-keys = [
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+    ];
+    builders-use-substitutes = true;
+  };
+
+  # do garbage collection weekly to keep disk usage low
+  nix.gc = {
+    automatic = lib.mkDefault true;
+    dates = lib.mkDefault "weekly";
+    options = lib.mkDefault "--delete-older-than 7d";
+  };
+
+  # Allow unfree packages
+  nixpkgs.config.allowUnfree = lib.mkDefault false;
+
  # Set your time zone.
  time.timeZone = "Asia/Shanghai";

@@ -21,7 +73,6 @@

  # Enable CUPS to print documents.
  services.printing.enable = true;
-  

  fonts = {
    fonts = with pkgs; [
@@ -34,7 +85,7 @@
      noto-fonts-emoji

      # nerdfonts
-      (nerdfonts.override { fonts = [ "FiraCode" "JetBrainsMono" ]; })
+      (nerdfonts.override {fonts = ["FiraCode" "JetBrainsMono"];})
    ];

    # use fonts specified by user rather than default ones
@@ -44,10 +95,10 @@
    # the reason there's Noto Color Emoji everywhere is to override DejaVu's
    # B&W emojis that would sometimes show instead of some Color emojis
    fontconfig.defaultFonts = {
-      serif = [ "Noto Serif" "Noto Color Emoji" ];
-      sansSerif = [ "Noto Sans" "Noto Color Emoji" ];
-      monospace = [ "JetBrainsMono Nerd Font" "Noto Color Emoji" ];
-      emoji = [ "Noto Color Emoji" ];
+      serif = ["Noto Serif" "Noto Color Emoji"];
+      sansSerif = ["Noto Sans" "Noto Color Emoji"];
+      monospace = ["JetBrainsMono Nerd Font" "Noto Color Emoji"];
+      emoji = ["Noto Color Emoji"];
    };
  };

@@ -63,15 +114,12 @@
    enable = true;
    settings = {
      X11Forwarding = true;
-      PermitRootLogin = "no";         # disable root login
+      PermitRootLogin = "no"; # disable root login
      PasswordAuthentication = false; # disable password login
    };
    openFirewall = true;
  };

-  # Allow unfree packages
-  nixpkgs.config.allowUnfree = true;
-
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
@@ -80,13 +128,13 @@
    curl
    git
    sysstat
-    lm_sensors  # for `sensors` command
+    lm_sensors # for `sensors` command
    # minimal screen capture tool, used by i3 blur lock to take a screenshot
    # print screen key is also bound to this tool in i3 config
    scrot
    neofetch
-    xfce.thunar  # xfce4's file manager
-    nnn          # terminal file manager
+    xfce.thunar # xfce4's file manager
+    nnn # terminal file manager
  ];

  # Enable sound with pipewire.
@@ -98,7 +146,7 @@
  security.polkit.enable = true;

  services = {
-    dbus.packages = [ pkgs.gcr ];
+    dbus.packages = [pkgs.gcr];

    geoclue2.enable = true;

@@ -115,16 +163,6 @@
      #media-session.enable = true;
    };

-    udev.packages = with pkgs; [ gnome.gnome-settings-daemon ];
+    udev.packages = with pkgs; [gnome.gnome-settings-daemon];
  };
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.ryan = {
-    isNormalUser = true;
-    description = "ryan";
-    extraGroups = [ "networkmanager" "wheel" ];
-    openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj admin@ryan-MBP"
-    ];
-  };
-}
+}