From 5237bf31c504160b9b39a871e78a00fb3ce2095c Mon Sep 17 00:00:00 2001 From: Ryan Yin Date: Sat, 9 Dec 2023 16:16:22 +0800 Subject: [PATCH] nix.settings.substituters(system-level) & nixConfig.extra-substituers(flake-only) --- flake.nix | 75 +++++++++--------------------------- modules/system.nix | 94 ++++++++++++++++++++++++++++++++-------------- 2 files changed, 83 insertions(+), 86 deletions(-) diff --git a/flake.nix b/flake.nix index b8d03291..9146eaad 100644 --- a/flake.nix +++ b/flake.nix @@ -1,21 +1,17 @@ { description = "NixOS configuration of Ryan Yin"; - # flake 为了确保够纯,它不依赖系统自身的 /etc/nix/nix.conf,而是在 flake.nix 中通过 nixConfig 设置 - # 但是为了确保安全性,flake 默认仅允许直接设置少数 nixConfig 参数,其他参数都需要在执行 nix 命令时指定 `--accept-flake-config`,否则会被忽略 - # - # 如果有些包国内镜像下载不到,它仍然会走国外,这时候就得靠旁路由来解决了。 - # 临时修改默认网关为旁路由: sudo ip route add default via 192.168.5.201 - # sudo ip route del default via 192.168.5.201 - nixConfig = { - experimental-features = [ "nix-command" "flakes" ]; - substituters = [ - # replace official cache with a mirror located in China - "https://mirrors.bfsu.edu.cn/nix-channels/store" - "https://cache.nixos.org/" - ]; + ################################################################################################################## + # + # Want to know Nix in details? Looking for a beginner-friendly tutorial? + # Check out https://github.com/ryan4yin/nixos-and-flakes-book ! + # + ################################################################################################################## - # nix community's cache server + # the nixConfig here only affects the flake itself, not the system configuration! + nixConfig = { + # substituers will be appended to the default substituters when fetching packages + # nix com extra-substituters = [munity's cache server extra-substituters = [ "https://nix-community.cachix.org" ]; @@ -24,63 +20,33 @@ ]; }; - # 这是 flake.nix 的标准格式,inputs 是 flake 的依赖,outputs 是 flake 的输出 - # inputs 中的每一项都被拉取、构建后,被作为参数传递给 outputs 函数 inputs = { - # flake inputs 有很多种引用方式,应用最广泛的是 github 的引用方式 - - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; # 使用 nixos-unstable 分支 + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; home-manager.url = "github:nix-community/home-manager"; - # follows 是 inputs 中的继承语法 - # 这里使 home-manager 的 nixpkgs 这个 inputs 与当前 flake 的 inputs.nixpkgs 保持一致,避免依赖的 nixpkgs 版本不一致导致问题 home-manager.inputs.nixpkgs.follows = "nixpkgs"; - # vscode 插件库 nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; }; - # outputs 的参数都是 inputs 中定义的依赖项,可以通过它们的名称来引用。 - # 不过 self 是个例外,这个特殊参数指向 outputs 自身(自引用),以及 flake 根目录 - # 这里的 @ 语法将函数的参数 attribute set 取了个别名,方便在内部使用 - outputs = inputs@{ - self, - nixpkgs, - home-manager, - nix-vscode-extensions, - ... + outputs = inputs @ { + self, + nixpkgs, + home-manager, + nix-vscode-extensions, + ... }: { - # 名为 nixosConfigurations 的 outputs 会在执行 `nixos-rebuild switch --flake .` 时被使用 - # 默认情况下会使用与主机 hostname 同名的 nixosConfigurations,但是也可以通过 `--flake .#` 来指定 nixosConfigurations = { - # hostname 为 nixos-test 的主机会使用这个配置 - # 这里使用了 nixpkgs.lib.nixosSystem 函数来构建配置,后面的 attributes set 是它的参数 - # 在 nixos 上使用此命令部署配置:`nixos-rebuild switch --flake .#nixos-test` nixos-test = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - # modules 中每个参数,都是一个 NixOS Module - # NixOS Module 可以是一个 attribute set,也可以是一个返回 attribute set 的函数 - # 如果是函数,那么它的参数就是当前的 NixOS Module 的参数. - # 根据 Nix Wiki 对 NixOS modules 的描述,NixOS modules 函数的参数可以有这四个(详见本仓库中的 modules 文件): - # - # config: The configuration of the entire system - # options: All option declarations refined with all definition and declaration references. - # pkgs: The attribute set extracted from the Nix package collection and enhanced with the nixpkgs.config option. - # modulesPath: The location of the module directory of NixOS. - # - # nix flake 的 modules 系统可将配置模块化,提升配置的可维护性 - # 默认只能传上面这四个参数,如果需要传其他参数,必须使用 specialArgs modules = [ ./hosts/nixos-test - # home-manager 作为 nixos 的一个 module - # 这样在 nixos-rebuild switch 时,home-manager 也会被自动部署,不需要额外执行 home-manager switch 命令 home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; - # 使用 home-manager.extraSpecialArgs 自定义传递给 ./home 的参数 home-manager.extraSpecialArgs = inputs; home-manager.users.ryan = import ./home; } @@ -93,23 +59,16 @@ modules = [ ./hosts/msi-rtx4090 - # home-manager 作为 nixos 的一个 module - # 这样在 nixos-rebuild switch 时,home-manager 也会被自动部署,不需要额外执行 home-manager switch 命令 home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; - # 使用 home-manager.extraSpecialArgs 自定义传递给 ./home 的参数 home-manager.extraSpecialArgs = inputs; home-manager.users.ryan = import ./home; } ]; }; - - - # 如果你在 x86_64-linux 平台上执行 nix build,那么默认会使用这个配置,或者也能通过 `.#` 参数来指定非 default 的配置 - # packages.x86_64-linux.default = }; }; } diff --git a/modules/system.nix b/modules/system.nix index 3e54a0ba..acd4f23d 100644 --- a/modules/system.nix +++ b/modules/system.nix @@ -1,6 +1,58 @@ -{ config, pkgs, ... }: - { + pkgs, + lib, + ... +}: let + username = "ryan"; +in { + + # ============================= User related ============================= + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.ryan = { + isNormalUser = true; + description = "ryan"; + extraGroups = [ "networkmanager" "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj admin@ryan-MBP" + ]; + }; + # given the users in this list the right to specify additional substituters via: + # 1. `nixConfig.substituers` in `flake.nix` + # 2. command line args `--options substituers http://xxx` + nix.settings.trusted-users = [username]; + + # customise /etc/nix/nix.conf declaratively via `nix.settings` + nix.settings = { + # enable flakes globally + experimental-features = ["nix-command" "flakes"]; + + substituters = [ + # cache mirror located in China + # status: https://mirror.sjtu.edu.cn/ + "https://mirror.sjtu.edu.cn/nix-channels/store" + # status: https://mirrors.ustc.edu.cn/status/ + # "https://mirrors.ustc.edu.cn/nix-channels/store" + + "https://cache.nixos.org" + ]; + + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + ]; + builders-use-substitutes = true; + }; + + # do garbage collection weekly to keep disk usage low + nix.gc = { + automatic = lib.mkDefault true; + dates = lib.mkDefault "weekly"; + options = lib.mkDefault "--delete-older-than 7d"; + }; + + # Allow unfree packages + nixpkgs.config.allowUnfree = lib.mkDefault false; + # Set your time zone. time.timeZone = "Asia/Shanghai"; @@ -21,7 +73,6 @@ # Enable CUPS to print documents. services.printing.enable = true; - fonts = { fonts = with pkgs; [ @@ -34,7 +85,7 @@ noto-fonts-emoji # nerdfonts - (nerdfonts.override { fonts = [ "FiraCode" "JetBrainsMono" ]; }) + (nerdfonts.override {fonts = ["FiraCode" "JetBrainsMono"];}) ]; # use fonts specified by user rather than default ones @@ -44,10 +95,10 @@ # the reason there's Noto Color Emoji everywhere is to override DejaVu's # B&W emojis that would sometimes show instead of some Color emojis fontconfig.defaultFonts = { - serif = [ "Noto Serif" "Noto Color Emoji" ]; - sansSerif = [ "Noto Sans" "Noto Color Emoji" ]; - monospace = [ "JetBrainsMono Nerd Font" "Noto Color Emoji" ]; - emoji = [ "Noto Color Emoji" ]; + serif = ["Noto Serif" "Noto Color Emoji"]; + sansSerif = ["Noto Sans" "Noto Color Emoji"]; + monospace = ["JetBrainsMono Nerd Font" "Noto Color Emoji"]; + emoji = ["Noto Color Emoji"]; }; }; @@ -63,15 +114,12 @@ enable = true; settings = { X11Forwarding = true; - PermitRootLogin = "no"; # disable root login + PermitRootLogin = "no"; # disable root login PasswordAuthentication = false; # disable password login }; openFirewall = true; }; - # Allow unfree packages - nixpkgs.config.allowUnfree = true; - # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ @@ -80,13 +128,13 @@ curl git sysstat - lm_sensors # for `sensors` command + lm_sensors # for `sensors` command # minimal screen capture tool, used by i3 blur lock to take a screenshot # print screen key is also bound to this tool in i3 config scrot neofetch - xfce.thunar # xfce4's file manager - nnn # terminal file manager + xfce.thunar # xfce4's file manager + nnn # terminal file manager ]; # Enable sound with pipewire. @@ -98,7 +146,7 @@ security.polkit.enable = true; services = { - dbus.packages = [ pkgs.gcr ]; + dbus.packages = [pkgs.gcr]; geoclue2.enable = true; @@ -115,16 +163,6 @@ #media-session.enable = true; }; - udev.packages = with pkgs; [ gnome.gnome-settings-daemon ]; + udev.packages = with pkgs; [gnome.gnome-settings-daemon]; }; - - # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.ryan = { - isNormalUser = true; - description = "ryan"; - extraGroups = [ "networkmanager" "wheel" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj admin@ryan-MBP" - ]; - }; -} \ No newline at end of file +}