]> Git — Sourcephile - sourcephile-nix.git/blob - shell.nix
losurdo: syncoid: improve config
[sourcephile-nix.git] / shell.nix
1 { inputs, pkgs, ... }:
2 let
3 # Configuration of shell/modules/
4 # to expand shellHook and buildInputs of this shell.nix
5 shellConfig = {config, ...}: {
6 imports = [
7 shell/gnupg.nix
8 ];
9 nix = {
10 nixConf = ''
11 auto-optimise-store = true
12 experimental-features nix-command flake
13 '';
14 };
15 gnupg = {
16 enable = true;
17 gnupgHome = "../sec/gnupg";
18 gpgExtraConf = ''
19 # julm@sourcephile.fr
20 trusted-key 0xB2450D97085B7B8C
21 '';
22 gpgAgentExtraConf = ''
23 #pretend-request-origin remote
24 #extra-socket ${toString ./.}/S.gpg-agent.extra
25 #log-file ${toString ./.}/gpg-agent.log
26 #no-grab
27 #debug-level expert
28 #allow-loopback-pinentry
29 '';
30 };
31 /*
32 openssl = {
33 enable = true;
34 opensslHome = "../sec/openssl";
35 certificates = import shell/x509.nix;
36 };
37 */
38 openssh = {
39 enable = true;
40 sshConf = ''
41 Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr
42 Compression no
43 #CompressionLevel 4
44 ControlMaster auto
45 ControlPath .ssh-%h-%p-%r.socket
46 HashKnownHosts no
47 #SSAPIAuthentication no
48 SendEnv LANG LC_*
49 StrictHostKeyChecking yes
50 UserKnownHostsFile ${inputs.secrets + "/ssh/known_hosts"}
51 '';
52 };
53 virtualbox = {
54 enable = false;
55 };
56 };
57
58 # Using modules enables to separate specific configurations
59 # from reusable code in shell/modules.nix and shell/modules/
60 # which may find its way in another git repository one day.
61 shell = (pkgs.lib.evalModules {
62 modules = [
63 shellConfig
64 { config._module.args = { inherit inputs pkgs; }; }
65 ] ++ map import (pkgs.lib.findFiles ".*\\.nix" (inputs.shell + "/modules"));
66 }).config;
67
68 pwd = toString (./. + "");
69 sourcephile-shred-tmp = pkgs.writeShellScriptBin "sourcephile-shred-tmp" ''
70 # This is done when entering the nix-shell
71 # because direnv already hooks trap EXIT.
72 cd "${pwd}"
73 test ! -e sec/tmp || {
74 find sec/tmp -type f -exec shred -fu {} +
75 rm -rf sec/tmp
76 }
77 '';
78 in
79 pkgs.mkShell {
80 name = "sourcephile-nix";
81 src = null;
82 #preferLocalBuild = true;
83 #allowSubstitutes = false;
84 buildInputs = shell.nix-shell.buildInputs ++ [
85 sourcephile-shred-tmp
86 (pkgs.nixos []).nixos-generate-config
87 (pkgs.nixos []).nixos-install
88 (pkgs.nixos []).nixos-enter
89 #pkgs.binutils
90 pkgs.coreutils
91 pkgs.cryptsetup
92 pkgs.curl
93 #pkgs.direnv
94 pkgs.dnsutils
95 #pkgs.dropbear
96 pkgs.e2fsprogs
97 pkgs.git
98 pkgs.glibcLocales
99 pkgs.gnumake
100 pkgs.gnupg
101 pkgs.htop
102 #pkgs.inetutils
103 pkgs.ipcalc
104 #pkgs.iputils
105 pkgs.less
106 pkgs.libfaketime
107 pkgs.ldns
108 #pkgs.ldns.examples
109 #pkgs.mailutils
110 pkgs.man
111 pkgs.mdadm
112 pkgs.gptfdisk
113 pkgs.ncdu
114 pkgs.ncurses
115 #pkgs.nixops
116 #pkgs.openssl
117 pkgs.pass
118 pkgs.procps
119 pkgs.rsync
120 #pkgs.rxvt_unicode.terminfo
121 #pkgs.sqlite
122 pkgs.sqlite
123 #pkgs.sudo
124 pkgs.tig
125 pkgs.time
126 #pkgs.tmux
127 pkgs.tree
128 pkgs.utillinux
129 #pkgs.vim
130 #pkgs.virtualbox
131 pkgs.which
132 pkgs.xdg_utils
133 pkgs.fio
134 pkgs.strace
135 pkgs.utillinux
136 #pkgs.zfstools
137 pkgs.linuxPackages.perf
138 #pkgs.go2nix
139 pkgs.wireguard
140 pkgs.stun
141 pkgs.mkpasswd
142 #pkgs.ubootTools
143 #pkgs.hydra-unstable
144 ];
145 #enableParallelBuilding = true;
146
147 PASSWORD_STORE_DIR = "pass";
148 GNUPGHOME = shell.gnupg.gnupgHome;
149 NIX_PATH = pkgs.lib.concatStringsSep ":" [
150 "nixpkgs=${pkgs.path}"
151 ("nixpkgs-overlays=" + pkgs.writeText "overlays.nix" ''
152 import ${inputs.self + "/nixpkgs/overlays.nix"} ++
153 import ${inputs.julm-nix + "/nixpkgs/overlays.nix"}
154 '')
155 ];
156
157 shellHook = ''
158 echo >&2 "nix: running shellHook"
159
160 # Since the .envrc calls this shellHook
161 # the EXIT trap cannot be freely used
162 # because it's already used by direnv,
163 # hence shred at startup, which is not ideal.
164 sourcephile-shred-tmp
165
166 ${shell.nix-shell.shellHook}
167
168 # gpg
169 export GPG_TTY=$(tty)
170 gpg-connect-agent updatestartuptty /bye >/dev/null
171 '';
172 }