shell.nix

   1 { inputs, pkgs, ... }:
   2 let
   3   # Configuration of shell/modules/
   4   # to expand shellHook and buildInputs of this shell.nix
   5   shellConfig = {config, ...}: {
   6     imports = [
   7       shell/gnupg.nix
   8     ];
   9     nix = {
  10       nixConf = ''
  11         auto-optimise-store = true
  12         experimental-features nix-command flake
  13       '';
  14     };
  15     gnupg = {
  16       enable = true;
  17       gnupgHome = "../sec/gnupg";
  18       gpgExtraConf = ''
  19         # julm@sourcephile.fr
  20         trusted-key 0xB2450D97085B7B8C
  21       '';
  22       gpgAgentExtraConf = ''
  23         #pretend-request-origin remote
  24         #extra-socket ${toString ./.}/S.gpg-agent.extra
  25         #log-file ${toString ./.}/gpg-agent.log
  26         #no-grab
  27         #debug-level expert
  28         #allow-loopback-pinentry
  29       '';
  30     };
  31     /*
  32     openssl = {
  33       enable = true;
  34       opensslHome = "../sec/openssl";
  35       certificates = import shell/x509.nix;
  36     };
  37     */
  38     openssh = {
  39       enable = true;
  40       sshConf = ''
  41         Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr
  42         Compression no
  43         #CompressionLevel 4
  44         ControlMaster auto
  45         ControlPath .ssh-%h-%p-%r.socket
  46         HashKnownHosts no
  47         #SSAPIAuthentication no
  48         SendEnv LANG LC_*
  49         StrictHostKeyChecking yes
  50         UserKnownHostsFile ${inputs.secrets + "/ssh/known_hosts"}
  51       '';
  52     };
  53     virtualbox = {
  54       enable = false;
  55     };
  56   };
  57
  58   # Using modules enables to separate specific configurations
  59   # from reusable code in shell/modules.nix and shell/modules/
  60   # which may find its way in another git repository one day.
  61   shell = (pkgs.lib.evalModules {
  62     modules = [
  63       shellConfig
  64       { config._module.args = { inherit inputs pkgs; }; }
  65     ] ++ map import (pkgs.lib.findFiles ".*\\.nix" (inputs.shell + "/modules"));
  66   }).config;
  67
  68   pwd = toString (./. + "");
  69   sourcephile-shred-tmp = pkgs.writeShellScriptBin "sourcephile-shred-tmp" ''
  70     # This is done when entering the nix-shell
  71     # because direnv already hooks trap EXIT.
  72     cd "${pwd}"
  73     test ! -e sec/tmp || {
  74     find sec/tmp -type f -exec shred -fu {} +
  75     rm -rf sec/tmp
  76     }
  77   '';
  78 in
  79 pkgs.mkShell {
  80   name = "sourcephile-nix";
  81   src = null;
  82   #preferLocalBuild = true;
  83   #allowSubstitutes = false;
  84   buildInputs = shell.nix-shell.buildInputs ++ [
  85     sourcephile-shred-tmp
  86     (pkgs.nixos []).nixos-generate-config
  87     (pkgs.nixos []).nixos-install
  88     (pkgs.nixos []).nixos-enter
  89     #pkgs.binutils
  90     pkgs.coreutils
  91     pkgs.cryptsetup
  92     pkgs.curl
  93     #pkgs.direnv
  94     pkgs.dnsutils
  95     #pkgs.dropbear
  96     pkgs.e2fsprogs
  97     pkgs.git
  98     pkgs.glibcLocales
  99     pkgs.gnumake
 100     pkgs.gnupg
 101     pkgs.htop
 102     #pkgs.inetutils
 103     pkgs.ipcalc
 104     #pkgs.iputils
 105     pkgs.less
 106     pkgs.libfaketime
 107     pkgs.ldns
 108     #pkgs.ldns.examples
 109     #pkgs.mailutils
 110     pkgs.man
 111     pkgs.mdadm
 112     pkgs.gptfdisk
 113     pkgs.ncdu
 114     pkgs.ncurses
 115     #pkgs.nixops
 116     #pkgs.openssl
 117     pkgs.pass
 118     pkgs.procps
 119     pkgs.rsync
 120     #pkgs.rxvt_unicode.terminfo
 121     #pkgs.sqlite
 122     pkgs.sqlite
 123     #pkgs.sudo
 124     pkgs.tig
 125     pkgs.time
 126     #pkgs.tmux
 127     pkgs.tree
 128     pkgs.utillinux
 129     #pkgs.vim
 130     #pkgs.virtualbox
 131     pkgs.which
 132     pkgs.xdg_utils
 133     pkgs.fio
 134     pkgs.strace
 135     pkgs.utillinux
 136     #pkgs.zfstools
 137     pkgs.linuxPackages.perf
 138     #pkgs.go2nix
 139     pkgs.wireguard
 140     pkgs.stun
 141     pkgs.mkpasswd
 142     #pkgs.ubootTools
 143     #pkgs.hydra-unstable
 144   ];
 145   #enableParallelBuilding = true;
 146
 147   PASSWORD_STORE_DIR = "pass";
 148   GNUPGHOME = shell.gnupg.gnupgHome;
 149   NIX_PATH = pkgs.lib.concatStringsSep ":" [
 150     "nixpkgs=${pkgs.path}"
 151     ("nixpkgs-overlays=" + pkgs.writeText "overlays.nix" ''
 152       import ${inputs.self + "/nixpkgs/overlays.nix"} ++
 153       import ${inputs.julm-nix + "/nixpkgs/overlays.nix"}
 154     '')
 155   ];
 156
 157   shellHook = ''
 158     echo >&2 "nix: running shellHook"
 159
 160     # Since the .envrc calls this shellHook
 161     # the EXIT trap cannot be freely used
 162     # because it's already used by direnv,
 163     # hence shred at startup, which is not ideal.
 164     sourcephile-shred-tmp
 165
 166     ${shell.nix-shell.shellHook}
 167
 168     # gpg
 169     export GPG_TTY=$(tty)
 170     gpg-connect-agent updatestartuptty /bye >/dev/null
 171   '';
 172 }