{ pkgs, lib, config, system, attic, ... }: let attic-client = attic.packages.${system}.attic-client; post-build-hook = pkgs.writeScript "post-build-hook" '' #!${pkgs.bash}/bin/bash set -euf export IFS=' ' until ${attic-client}/bin/attic push chir-rs $OUT_PATHS; do sleep 5 echo "Retrying..." done ''; in { imports = [ ./workarounds ]; sops.secrets."attic/config.toml" = { sopsFile = ../secrets/shared.yaml; owner = "root"; key = "attic/config.toml"; path = "/root/.config/attic/config.toml"; }; nixpkgs.config.allowUnfree = true; nix = { settings = { sandbox = true; trusted-users = ["@wheel" "remote-build"]; require-sigs = true; builders-use-substitutes = true; substituters = [ "https://attic.chir.rs/chir-rs/" "https://hydra.int.chir.rs" ]; trusted-public-keys = [ "nixcache:8KKuGz95Pk4UJ5W/Ni+pN+v+LDTkMMFV4yrGmAYgkDg=" "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" "chir-rs:AnwyFacopHSkprD6aXY4/R3J9JYzTbV2rosJCBPaB28=" "riscv:TZX1ReuoIGt7QiSQups+92ym8nKJUSV0O2NkS4HAqH8=" "cache.ztier.link-1:3P5j2ZB9dNgFFFVkCQWT3mh0E+S3rIWtZvoql64UaXM=" ]; post-build-hook = "${post-build-hook}"; auto-optimise-store = true; }; package = pkgs.nix; extraOptions = '' experimental-features = nix-command flakes ca-derivations ''; gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 7d"; }; buildMachines = with lib; mkMerge [ (mkIf (config.networking.hostName != "instance-20221213-1915") [ { hostName = "build-aarch64"; systems = [ "aarch64-linux" ]; maxJobs = 4; speedFactor = 1; supportedFeatures = ["nixos-test" "benchmark" "ca-derivations" "gccarch-armv8-a" "gccarch-armv8.1-a" "gccarch-armv8.2-a" "big-parallel"]; } ]) ]; distributedBuilds = true; }; systemd.services.nix-daemon.environment.TMPDIR = "/build"; systemd.services.nixos-upgrade = { description = "NixOS Upgrade"; restartIfChanged = false; unitConfig.X-StopOnRemoval = false; serviceConfig.Type = "oneshot"; path = with pkgs; [ coreutils gnutar xz.bin gzip gitMinimal config.nix.package.out config.programs.ssh.package jq curl ]; script = lib.mkDefault '' #!${pkgs.bash}/bin/bash set -ex builds=$(${pkgs.curl}/bin/curl -H 'accept: application/json' https://hydra.int.chir.rs/jobset/flakes/nixos-config/evals | ${pkgs.jq}/bin/jq -r '.evals[0].builds[]') for build in $builds; do doc=$(${pkgs.curl}/bin/curl -H 'accept: application/json' https://hydra.int.chir.rs/build/$build) jobname=$(echo $doc | ${pkgs.jq}/bin/jq -r '.job') if [ "$jobname" = "${config.networking.hostName}.${system}" ]; then drvname=$(echo $doc | ${pkgs.jq}/bin/jq -r '.drvpath') output=$(${pkgs.nix}/bin/nix-store -r $drvname) $output/bin/switch-to-configuration boot booted="$(${pkgs.coreutils}/bin/readlink /run/booted-system/{initrd,kernel,kernel-modules})" built="$(${pkgs.coreutils}/bin/readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})" if [ "$booted" = "$built" ]; then $output/bin/switch-to-configuration switch else ${pkgs.systemd}/bin/shutdown -r +1 fi exit fi done ''; after = ["network-online.target"]; wants = ["network-online.target"]; }; systemd.timers.nixos-upgrade = { timerConfig = { OnBootSec = 300; RandomizedDelaySec = 3600; OnUnitActiveSec = 3600; }; requires = ["nixos-upgrade.service"]; wantedBy = ["multi-user.target"]; }; systemd.sockets.nixos-upgrade = { socketConfig = { Service = "nixos-upgrade.service"; BindIPv6Only = true; ListenDatagram = "[::]:15553"; }; }; }