nixos-config/config/nix.nix

{
  pkgs,
  lib,
  config,
  system,
  ...
}: let
  post-build-hook = pkgs.writeScript "post-build-hook" ''
    #!/bin/sh
    set -euf
    export IFS=' '
    ${pkgs.nix}/bin/nix-store -r $DRV_PATH
    for f in $DRV_PATH $OUT_PATHS; do
      ${pkgs.nix}/bin/nix store sign --key-file ${config.sops.secrets."services/nix/cache-key".path} $f
      ${pkgs.nix}/bin/nix copy --to 's3://cache-chir-rs?scheme=https&endpoint=s3.us-west-000.backblazeb2.com&secret-key=${config.sops.secrets."services/hydra/cache-key".path}&multipart-upload=true&compression=zstd&compression-level=15' $f
    done
  '';
in {
  imports = [
    ./workarounds
  ];
  nixpkgs.config.allowUnfree = true;
  nix = {
    settings = {
      sandbox = true;
      trusted-users = ["@wheel"];
      require-sigs = true;
      builders-use-substitutes = true;
      substituters = [
        "https://f000.backblazeb2.com/file/cache-chir-rs/"
        "https://hydra.int.chir.rs/"
      ];
      trusted-public-keys = [
        "nixcache:8KKuGz95Pk4UJ5W/Ni+pN+v+LDTkMMFV4yrGmAYgkDg="
        "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs="
      ];
      post-build-hook = "${post-build-hook}";
    };
    package = pkgs.nix;
    extraOptions = ''
      experimental-features = nix-command flakes ca-derivations
    '';
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 7d";
    };
    buildMachines = [
      {
        hostName = "build-nas";
        systems = [
          "armv7l-linux"
          "aarch64-linux"
          "powerpc-linux"
          "powerpc64-linux"
          "powerpc64le-linux"
          "riscv32-linux"
          "riscv64-linux"
          "wasm32-wasi"
          "x86_64-linux"
          "i686-linux"
        ];
        maxJobs = 12;
        speedFactor = 1;
        supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark" "gccarch-znver1" "gccarch-skylake" "ca-derivations"];
      }
      {
        hostName = "build-pc";
        systems = [
          "armv7l-linux"
          "aarch64-linux"
          "powerpc-linux"
          "powerpc64-linux"
          "powerpc64le-linux"
          "riscv32-linux"
          "riscv64-linux"
          "wasm32-wasi"
          "x86_64-linux"
          "i686-linux"
        ];
        maxJobs = 16;
        speedFactor = 2;
        supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark" "gccarch-znver2" "gccarch-znver1" "gccarch-skylake" "ca-derivations"];
      }
    ];
    distributedBuilds = true;
  };
  system.autoUpgrade = {
    enable = true;
    flake = "git+https://git.chir.rs/darkkirb/nixos-config?ref=nixos-config/nixos-config/${config.networking.hostName}.${system}";
    flags = [
      "--no-write-lock-file"
      "-L" # print build logs
    ];
    dates = "hourly";
  };
  systemd.services.nix-daemon.environment.TMPDIR = "/build";
  sops.secrets."services/nix/cache-key" = {};
}