nixpkgs: switch to read-only packages

Signed-off-by: Bloxx12 <charlie@charlieroot.dev> Change-Id: I6a6a69641b8369b151024324d8d06f2acb790c15
2025-07-20 03:02:13 +02:00 · 2025-07-20 03:02:13 +02:00 · 3a9e31cc88
commit 3a9e31cc88
parent d276dea712
2 changed files with 60 additions and 48 deletions
--- a/default.nix
+++ b/default.nix
@ -1,5 +1,5 @@
 let
-  inherit (builtins) currentSystem filter mapAttrs;
+  inherit (builtins) filter mapAttrs;
  # https://github.com/andir/npins?tab=readme-ov-file#using-the-nixpkgs-fetchers
  src = import ./npins;
@ -20,10 +20,7 @@ let
      modules = [
        # This is used to pre-emptively set the hostPlatform for nixpkgs.
        # Also, we set the system hostname here.
-        {
+        { networking.hostName = hostname; }
          networking.hostName = hostname;
          nixpkgs.hostPlatform = system;
        }
        ./hosts/common.nix
        ./hosts/${hostname}
      ]
--- a/modules/system/nix/nixpkgs.mod.nix
+++ b/modules/system/nix/nixpkgs.mod.nix
@ -1,47 +1,62 @@
 # taken from raf
 { sources, ... }:
 {
-  # Global nixpkgs configuration.
+  lib,
-  # This is ignored if nixpkgs.pkgs is set, which should be avoided.
+  sources,
-  nixpkgs = {
+  pkgs,
-    flake = {
+  ...
-      source = sources.nixpkgs;
+}:
-      setFlakeRegistry = true;
+let
-      setNixPath = true;
+  inherit (lib.options) mkOption;
-    };
+  inherit (lib.types) str;
 in
 {
  imports = [
    # Going full schizo
    "${sources.nixpkgs}/nixos/modules/misc/nixpkgs/read-only.nix"
  ];
-    # Configuration reference:
+  options.nixpkgs.system = mkOption {
-    # <https://nixos.org/manual/nixpkgs/unstable/#chap-packageconfig>
+    type = str;
-    config = {
+    default = pkgs.system;
-      # Disallow broken packages to be built.
+    readOnly = true;
      allowBroken = false;
      allowUnsupportedSystem = true;
      # Warn when config contains an unrecognized attribute.
      # This might be useful for getting a better configuration.
      warnUndeclaredOptions = true;
      # Allow unfree packages
      allowUnfree = true;
      # Permitted insecure packages in a system.
      # Default to none, add more as necessary.
      # Matrix also likes using deprecated libraries, which tend to go into this list.
      # permittedInsecurePackages = [];
      # Whether to set enableParallelBuilding to true by default while
      # building nixpkgs packages. Changing the default causes a mass rebuild.
      enableParallelBuildingByDefault = false;
      # Whether to expose old attribute names for compatibility.
      # This improves backwards compatibility,
      # which I could not care less about in my configuration.
      allowAliases = false;
      # List of derivation warnings to display while rebuilding.
      #  See: <https://github.com/NixOS/nixpkgs/blob/master/pkgs/stdenv/generic/check-meta.nix>
      showDerivationWarnings = [ ];
    };
  };
  config.nixpkgs.pkgs = (
    import sources.nixpkgs {
      hostPlatform = pkgs.stdenv.hostPlatform;
      overlays = [ ];
      config = {
        # Configuration reference:
        # <https://nixos.org/manual/nixpkgs/unstable/#chap-packageconfig>
        # Disallow broken packages to be built.
        allowBroken = false;
        allowUnsupportedSystem = true;
        # Warn when config contains an unrecognized attribute.
        # This might be useful for getting a better configuration.
        warnUndeclaredOptions = true;
        # Allow unfree packages
        allowUnfree = true;
        # Permitted insecure packages in a system.
        # Default to none, add more as necessary.
        # Matrix also likes using deprecated libraries, which tend to go into this list.
        # permittedInsecurePackages = [];
        # Whether to set enableParallelBuilding to true by default while
        # building nixpkgs packages. Changing the default causes a mass rebuild.
        enableParallelBuildingByDefault = false;
        # Whether to expose old attribute names for compatibility.
        # This improves backwards compatibility,
        # which I could not care less about in my configuration.
        allowAliases = false;
        # List of derivation warnings to display while rebuilding.
        #  See: <https://github.com/NixOS/nixpkgs/blob/master/pkgs/stdenv/generic/check-meta.nix>
        showDerivationWarnings = [ ];
      };
    }
  );
 }