-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathflake.nix
More file actions
180 lines (161 loc) · 6.31 KB
/
flake.nix
File metadata and controls
180 lines (161 loc) · 6.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
{
description = "chandy's darwin system";
inputs = {
# Package sets
nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-23.05-darwin";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
# Environment/system management
darwin.url = "github:lnl7/nix-darwin/master";
darwin.inputs.nixpkgs.follows = "nixpkgs-unstable";
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs-unstable";
};
outputs = { self, darwin, nixpkgs, home-manager, ... }@inputs:
let
inherit (darwin.lib) darwinSystem;
inherit (inputs.nixpkgs-unstable.lib)
attrValues makeOverridable optionalAttrs singleton;
# Configuration for `nixpkgs`
nixpkgsConfig = {
config = { allowUnfree = true; };
overlays = attrValues self.overlays ++ singleton (
# Sub in x86 version of packages that don't build on Apple Silicon yet
final: prev: (optionalAttrs (prev.stdenv.system == "aarch64-darwin") {
inherit (final.pkgs-x86)
idris2
nix-index
niv
purescript;
})
);
};
in
{
# My `nix-darwin` configs
darwinConfigurations."mac-aarch64" = darwinSystem {
system = "aarch64-darwin";
modules = attrValues self.darwinModules ++ [
# Main `nix-darwin` config
./configuration.nix
# `home-manager` module
home-manager.darwinModules.home-manager
{
nixpkgs = nixpkgsConfig;
# `home-manager` config
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.chandy = import ./home.nix;
}
];
};
darwinConfigurations."mac-x86_64" = darwinSystem {
system = "x86_64-darwin";
modules = attrValues self.darwinModules ++ [
# Main `nix-darwin` config
./configuration.nix
# `home-manager` module
home-manager.darwinModules.home-manager
{
nixpkgs = nixpkgsConfig;
# `home-manager` config
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.chandy = import ./home.nix;
}
];
};
# Overlays --------------------------------------------------------------- {{{
overlays = {
# Overlays to add various packages into package set
# comma = final: prev: {
# comma = import inputs.comma { inherit (prev) pkgs; };
# };
# Overlay useful on Macs with Apple Silicon
apple-silicon = final: prev:
optionalAttrs (prev.stdenv.system == "aarch64-darwin") {
# Add access to x86 packages system is running Apple Silicon
pkgs-x86 = import inputs.nixpkgs-unstable {
system = "x86_64-darwin";
inherit (nixpkgsConfig) config;
};
};
};
# My `nix-darwin` modules that are pending upstream, or patched versions waiting on upstream
# fixes.
darwinModules = {
programs-nix-index =
# Additional configuration for `nix-index` to enable `command-not-found` functionality with Fish.
{ config, lib, pkgs, ... }:
{
config = lib.mkIf config.programs.nix-index.enable {
programs.fish.interactiveShellInit = ''
function __fish_command_not_found_handler --on-event="fish_command_not_found"
${if config.programs.fish.useBabelfish then ''
command_not_found_handle $argv
'' else ''
${pkgs.bashInteractive}/bin/bash -c \
"source ${config.programs.nix-index.package}/etc/profile.d/command-not-found.sh; command_not_found_handle $argv"
''}
end
'';
};
};
security-pam =
# Upstream PR: https://github.com/LnL7/nix-darwin/pull/228
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security.pam;
# Implementation Notes
#
# We don't use `environment.etc` because this would require that the user manually delete
# `/etc/pam.d/sudo` which seems unwise given that applying the nix-darwin configuration requires
# sudo. We also can't use `system.patchs` since it only runs once, and so won't patch in the
# changes again after OS updates (which remove modifications to this file).
#
# As such, we resort to line addition/deletion in place using `sed`. We add a comment to the
# added line that includes the name of the option, to make it easier to identify the line that
# should be deleted when the option is disabled.
mkSudoTouchIdAuthScript = isEnabled:
let
file = "/etc/pam.d/sudo";
option = "security.pam.enableSudoTouchIdAuth";
in
''
${if isEnabled then ''
# Enable sudo Touch ID authentication, if not already enabled
if ! grep 'pam_tid.so' ${file} > /dev/null; then
sed -i "" '2i\
auth sufficient pam_tid.so # nix-darwin: ${option}
' ${file}
fi
'' else ''
# Disable sudo Touch ID authentication, if added by nix-darwin
if grep '${option}' ${file} > /dev/null; then
sed -i "" '/${option}/d' ${file}
fi
''}
'';
in
{
# options = {
# security.pam.enableSudoTouchIdAuth = mkEnableOption ''
# Enable sudo authentication with Touch ID
# When enabled, this option adds the following line to /etc/pam.d/sudo:
# auth sufficient pam_tid.so
# (Note that macOS resets this file when doing a system update. As such, sudo
# authentication with Touch ID won't work after a system update until the nix-darwin
# configuration is reapplied.)
# '';
# };
config = {
system.activationScripts.extraActivation.text = ''
# PAM settings
echo >&2 "setting up pam..."
${mkSudoTouchIdAuthScript cfg.enableSudoTouchIdAuth}
'';
};
};
};
};
}