]> Git — Sourcephile - sourcephile-nix.git/blob - shell.nix
sourcehut: commit upstream NixOS modules
[sourcephile-nix.git] / shell.nix
1 { inputs, pkgs, ... }:
2 let
3 # Configuration of shell/modules/
4 # to expand shellHook and buildInputs of this shell.nix
5 shellConfig = {config, ...}: {
6 imports = [
7 shell/gnupg.nix
8 ];
9 nix = {
10 nixConf = ''
11 auto-optimise-store = true
12 experimental-features nix-command flake
13 '';
14 };
15 gnupg = {
16 enable = true;
17 gnupgHome = "../sec/gnupg";
18 gpgExtraConf = ''
19 # julm@sourcephile.fr
20 trusted-key 0xB2450D97085B7B8C
21 '';
22 gpgAgentExtraConf = ''
23 #pretend-request-origin remote
24 #extra-socket ${toString ./.}/S.gpg-agent.extra
25 #log-file ${toString ./.}/gpg-agent.log
26 #no-grab
27 #debug-level expert
28 #allow-loopback-pinentry
29 '';
30 };
31 /*
32 openssl = {
33 enable = true;
34 opensslHome = "../sec/openssl";
35 certificates = import shell/x509.nix;
36 };
37 */
38 openssh = {
39 enable = true;
40 sshConf = ''
41 Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr
42 Compression no
43 #CompressionLevel 4
44 ControlMaster auto
45 ControlPath .ssh-%h-%p-%r.socket
46 HashKnownHosts no
47 #SSAPIAuthentication no
48 SendEnv LANG LC_*
49 StrictHostKeyChecking yes
50 UserKnownHostsFile ${inputs.secrets + "/ssh/known_hosts"}
51 '';
52 };
53 virtualbox = {
54 enable = false;
55 };
56 };
57
58 # Using modules enables to separate specific configurations
59 # from reusable code in shell/modules.nix and shell/modules/
60 # which may find its way in another git repository one day.
61 shell = (pkgs.lib.evalModules {
62 modules = [ shellConfig ] ++ map import (pkgs.lib.findFiles ".*\\.nix" (inputs.shell + "/modules"));
63 args = { inherit inputs pkgs; };
64 }).config;
65
66 pwd = toString (./. + "");
67 sourcephile-shred-tmp = pkgs.writeShellScriptBin "sourcephile-shred-tmp" ''
68 # This is done when entering the nix-shell
69 # because direnv already hooks trap EXIT.
70 cd "${pwd}"
71 test ! -e sec/tmp || {
72 find sec/tmp -type f -exec shred -fu {} +
73 rm -rf sec/tmp
74 }
75 '';
76 in
77 pkgs.mkShell {
78 name = "sourcephile-nix";
79 src = null;
80 #preferLocalBuild = true;
81 #allowSubstitutes = false;
82 buildInputs = shell.nix-shell.buildInputs ++ [
83 sourcephile-shred-tmp
84 (pkgs.nixos []).nixos-generate-config
85 (pkgs.nixos []).nixos-install
86 (pkgs.nixos []).nixos-enter
87 #pkgs.binutils
88 pkgs.coreutils
89 pkgs.cryptsetup
90 pkgs.curl
91 #pkgs.direnv
92 pkgs.dnsutils
93 #pkgs.dropbear
94 pkgs.e2fsprogs
95 pkgs.git
96 pkgs.glibcLocales
97 pkgs.gnumake
98 pkgs.gnupg
99 pkgs.htop
100 #pkgs.inetutils
101 pkgs.ipcalc
102 #pkgs.iputils
103 pkgs.less
104 pkgs.libfaketime
105 pkgs.ldns
106 #pkgs.ldns.examples
107 #pkgs.mailutils
108 pkgs.man
109 pkgs.mdadm
110 pkgs.gptfdisk
111 pkgs.ncdu
112 pkgs.ncurses
113 #pkgs.nixops
114 #pkgs.openssl
115 pkgs.pass
116 pkgs.procps
117 pkgs.rsync
118 #pkgs.rxvt_unicode.terminfo
119 #pkgs.sqlite
120 pkgs.sqlite
121 #pkgs.sudo
122 pkgs.tig
123 pkgs.time
124 #pkgs.tmux
125 pkgs.tree
126 pkgs.utillinux
127 #pkgs.vim
128 #pkgs.virtualbox
129 pkgs.which
130 pkgs.xdg_utils
131 pkgs.fio
132 pkgs.strace
133 pkgs.utillinux
134 #pkgs.zfstools
135 pkgs.linuxPackages.perf
136 #pkgs.go2nix
137 pkgs.wireguard
138 pkgs.stun
139 pkgs.mkpasswd
140 #pkgs.hydra-unstable
141 ];
142 #enableParallelBuilding = true;
143
144 PASSWORD_STORE_DIR = "pass";
145 NIX_PATH = pkgs.lib.concatStringsSep ":" [
146 "nixpkgs=${pkgs.path}"
147 ("nixpkgs-overlays=" + pkgs.writeText "overlays.nix" ''
148 import ${inputs.self + "/nixpkgs/overlays.nix"} ++
149 import ${inputs.julm-nix + "/nixpkgs/overlays.nix"}
150 '')
151 ];
152
153 shellHook = ''
154 echo >&2 "nix: running shellHook"
155
156 # Since the .envrc calls this shellHook
157 # the EXIT trap cannot be freely used
158 # because it's already used by direnv,
159 # hence shred at startup, which is not ideal.
160 sourcephile-shred-tmp
161
162 ${shell.nix-shell.shellHook}
163
164 # gpg
165 export GPG_TTY=$(tty)
166 gpg-connect-agent updatestartuptty /bye >/dev/null
167 '';
168 }