shell.nix

   1 { inputs, pkgs, ... }:
   2 let
   3   # Configuration of shell/modules/
   4   # to expand shellHook and buildInputs of this shell.nix
   5   shellConfig = {config, ...}: {
   6     imports = [
   7       shell/gnupg.nix
   8     ];
   9     nix = {
  10       nixConf = ''
  11         auto-optimise-store = true
  12         experimental-features nix-command flake
  13       '';
  14     };
  15     gnupg = {
  16       enable = true;
  17       gnupgHome = "../sec/gnupg";
  18       gpgExtraConf = ''
  19         # julm@sourcephile.fr
  20         trusted-key 0xB2450D97085B7B8C
  21         default-key 0x4FE467034C11017B429BAC53A58CD81C3863926F
  22       '';
  23       gpgAgentExtraConf = ''
  24         #pretend-request-origin remote
  25         #extra-socket ${toString ./.}/S.gpg-agent.extra
  26         #log-file ${toString ./.}/gpg-agent.log
  27         #no-grab
  28         #debug-level expert
  29         #allow-loopback-pinentry
  30       '';
  31     };
  32     /*
  33     openssl = {
  34       enable = true;
  35       opensslHome = "../sec/openssl";
  36       certificates = import shell/x509.nix;
  37     };
  38     */
  39     openssh = {
  40       enable = true;
  41       sshConf = ''
  42         Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr
  43         Compression no
  44         #CompressionLevel 4
  45         ControlMaster auto
  46         ControlPath .ssh-%h-%p-%r.socket
  47         HashKnownHosts no
  48         #SSAPIAuthentication no
  49         SendEnv LANG LC_*
  50         StrictHostKeyChecking yes
  51         UserKnownHostsFile ${inputs.secrets + "/ssh/known_hosts"}
  52       '';
  53     };
  54     virtualbox = {
  55       enable = false;
  56     };
  57   };
  58
  59   # Using modules enables to separate specific configurations
  60   # from reusable code in shell/modules.nix and shell/modules/
  61   # which may find its way in another git repository one day.
  62   shell = (pkgs.lib.evalModules {
  63     modules = [
  64       shellConfig
  65       { config._module.args = { inherit inputs pkgs; }; }
  66     ] ++ map import (pkgs.lib.findFiles ".*\\.nix" (inputs.shell + "/modules"));
  67   }).config;
  68
  69   pwd = toString (./. + "");
  70   sourcephile-shred-tmp = pkgs.writeShellScriptBin "sourcephile-shred-tmp" ''
  71     # This is done when entering the nix-shell
  72     # because direnv already hooks trap EXIT.
  73     cd "${pwd}"
  74     test ! -e sec/tmp || {
  75     find sec/tmp -type f -exec shred -fu {} +
  76     rm -rf sec/tmp
  77     }
  78   '';
  79 in
  80 pkgs.mkShell {
  81   name = "sourcephile-nix";
  82   src = null;
  83   #preferLocalBuild = true;
  84   #allowSubstitutes = false;
  85   buildInputs = shell.nix-shell.buildInputs ++ [
  86     sourcephile-shred-tmp
  87     (pkgs.nixos []).nixos-generate-config
  88     (pkgs.nixos []).nixos-install
  89     (pkgs.nixos []).nixos-enter
  90     #pkgs.binutils
  91     pkgs.coreutils
  92     pkgs.cryptsetup
  93     pkgs.curl
  94     #pkgs.direnv
  95     pkgs.dnsutils
  96     #pkgs.dropbear
  97     pkgs.e2fsprogs
  98     pkgs.git
  99     pkgs.glibcLocales
 100     pkgs.gnumake
 101     pkgs.gnupg
 102     pkgs.htop
 103     #pkgs.inetutils
 104     pkgs.ipcalc
 105     #pkgs.iputils
 106     pkgs.less
 107     pkgs.libfaketime
 108     pkgs.ldns
 109     #pkgs.ldns.examples
 110     #pkgs.mailutils
 111     pkgs.man
 112     pkgs.mdadm
 113     pkgs.gptfdisk
 114     pkgs.ncdu
 115     pkgs.ncurses
 116     #pkgs.nixops
 117     #pkgs.openssl
 118     pkgs.pass
 119     pkgs.procps
 120     pkgs.rsync
 121     #pkgs.rxvt_unicode.terminfo
 122     #pkgs.sqlite
 123     pkgs.sqlite
 124     #pkgs.sudo
 125     pkgs.tig
 126     pkgs.time
 127     #pkgs.tmux
 128     pkgs.tree
 129     pkgs.utillinux
 130     #pkgs.vim
 131     #pkgs.virtualbox
 132     pkgs.which
 133     pkgs.xdg_utils
 134     pkgs.fio
 135     pkgs.strace
 136     pkgs.utillinux
 137     #pkgs.zfstools
 138     pkgs.linuxPackages.perf
 139     #pkgs.go2nix
 140     pkgs.wireguard-tools
 141     pkgs.stun
 142     pkgs.mkpasswd
 143     #pkgs.ubootTools
 144     #pkgs.hydra-unstable
 145   ];
 146   #enableParallelBuilding = true;
 147
 148   PASSWORD_STORE_DIR = "pass";
 149   GNUPGHOME = shell.gnupg.gnupgHome;
 150   NIX_PATH = pkgs.lib.concatStringsSep ":" [
 151     "nixpkgs=${pkgs.path}"
 152     ("nixpkgs-overlays=" + pkgs.writeText "overlays.nix" ''
 153       import ${inputs.self + "/nixpkgs/overlays.nix"} ++
 154       import ${inputs.julm-nix + "/nixpkgs/overlays.nix"}
 155     '')
 156   ];
 157
 158   shellHook = ''
 159     echo >&2 "nix: running shellHook"
 160
 161     # Since the .envrc calls this shellHook
 162     # the EXIT trap cannot be freely used
 163     # because it's already used by direnv,
 164     # hence shred at startup, which is not ideal.
 165     sourcephile-shred-tmp
 166
 167     ${shell.nix-shell.shellHook}
 168
 169     # gpg
 170     export GPG_TTY=$(tty)
 171     gpg-connect-agent updatestartuptty /bye >/dev/null
 172   '';
 173 }