From 3a9e31cc8804412ee3ec52d8b8621125c086dc36 Mon Sep 17 00:00:00 2001 From: Bloxx12 Date: Sun, 20 Jul 2025 03:02:13 +0200 Subject: [PATCH] nixpkgs: switch to read-only packages Signed-off-by: Bloxx12 Change-Id: I6a6a69641b8369b151024324d8d06f2acb790c15 --- default.nix | 7 +- modules/system/nix/nixpkgs.mod.nix | 101 +++++++++++++++++------------ 2 files changed, 60 insertions(+), 48 deletions(-) diff --git a/default.nix b/default.nix index 0f8f44e..2a8d007 100644 --- a/default.nix +++ b/default.nix @@ -1,5 +1,5 @@ let - inherit (builtins) currentSystem filter mapAttrs; + inherit (builtins) filter mapAttrs; # https://github.com/andir/npins?tab=readme-ov-file#using-the-nixpkgs-fetchers src = import ./npins; @@ -20,10 +20,7 @@ let modules = [ # This is used to pre-emptively set the hostPlatform for nixpkgs. # Also, we set the system hostname here. - { - networking.hostName = hostname; - nixpkgs.hostPlatform = system; - } + { networking.hostName = hostname; } ./hosts/common.nix ./hosts/${hostname} ] diff --git a/modules/system/nix/nixpkgs.mod.nix b/modules/system/nix/nixpkgs.mod.nix index 0f98f70..8092b9d 100644 --- a/modules/system/nix/nixpkgs.mod.nix +++ b/modules/system/nix/nixpkgs.mod.nix @@ -1,47 +1,62 @@ -# taken from raf -{ sources, ... }: { - # Global nixpkgs configuration. - # This is ignored if nixpkgs.pkgs is set, which should be avoided. - nixpkgs = { - flake = { - source = sources.nixpkgs; - setFlakeRegistry = true; - setNixPath = true; - }; + lib, + sources, + pkgs, + ... +}: +let + inherit (lib.options) mkOption; + inherit (lib.types) str; +in +{ + imports = [ + # Going full schizo + "${sources.nixpkgs}/nixos/modules/misc/nixpkgs/read-only.nix" + ]; - # Configuration reference: - # - config = { - # Disallow broken packages to be built. - allowBroken = false; - - allowUnsupportedSystem = true; - - # Warn when config contains an unrecognized attribute. - # This might be useful for getting a better configuration. - warnUndeclaredOptions = true; - - # Allow unfree packages - allowUnfree = true; - - # Permitted insecure packages in a system. - # Default to none, add more as necessary. - # Matrix also likes using deprecated libraries, which tend to go into this list. - # permittedInsecurePackages = []; - - # Whether to set enableParallelBuilding to true by default while - # building nixpkgs packages. Changing the default causes a mass rebuild. - enableParallelBuildingByDefault = false; - - # Whether to expose old attribute names for compatibility. - # This improves backwards compatibility, - # which I could not care less about in my configuration. - allowAliases = false; - - # List of derivation warnings to display while rebuilding. - # See: - showDerivationWarnings = [ ]; - }; + options.nixpkgs.system = mkOption { + type = str; + default = pkgs.system; + readOnly = true; }; + + config.nixpkgs.pkgs = ( + import sources.nixpkgs { + hostPlatform = pkgs.stdenv.hostPlatform; + overlays = [ ]; + config = { + # Configuration reference: + # + # Disallow broken packages to be built. + allowBroken = false; + + allowUnsupportedSystem = true; + + # Warn when config contains an unrecognized attribute. + # This might be useful for getting a better configuration. + warnUndeclaredOptions = true; + + # Allow unfree packages + allowUnfree = true; + + # Permitted insecure packages in a system. + # Default to none, add more as necessary. + # Matrix also likes using deprecated libraries, which tend to go into this list. + # permittedInsecurePackages = []; + + # Whether to set enableParallelBuilding to true by default while + # building nixpkgs packages. Changing the default causes a mass rebuild. + enableParallelBuildingByDefault = false; + + # Whether to expose old attribute names for compatibility. + # This improves backwards compatibility, + # which I could not care less about in my configuration. + allowAliases = false; + + # List of derivation warnings to display while rebuilding. + # See: + showDerivationWarnings = [ ]; + }; + } + ); }