infrastructure/nixos/base/nix.nix

{
  config,
  options,
  lib,
  gensokyo-zone,
  ...
}: let
  inherit (gensokyo-zone.lib) mkAlmostDefault;
  inherit (lib.modules) mkIf mkMerge mkDefault;
  inherit (lib.attrsets) optionalAttrs;
  inherit (lib.trivial) importJSON;
  hasSops = options ? sops;
in {
  config = {
    boot.loader = {
      grub.configurationLimit = 8;
      systemd-boot.configurationLimit = 8;
    };

    nix = {
      registry = let
        lock = importJSON ../../flake.lock;
        mapFlake = name: let
          node = lock.nodes.${name};
        in
          {
            inherit (node.original) type;
            inherit (node.locked) lastModified rev narHash;
          }
          // optionalAttrs (node.original.type == "github") {
            inherit (node.original) repo owner;
          };
        nixpkgs'ref.to = mapFlake "nixpkgs";
        nixpkgs'copy.flake = gensokyo-zone.inputs.nixpkgs;
      in {
        nixpkgs = mkMerge [
          (mkDefault nixpkgs'ref)
          # front-load nixpkgs to real machines as part of the system closure
          # (they're likely to fetch slowly on demand due to underpowered networking)
          (mkIf (!config.boot.isContainer) nixpkgs'copy)
        ];
        arc = mkDefault {
          to = mapFlake "arcexprs";
        };
        ci = mkDefault {
          to = {
            inherit (lock.nodes.ci.original) type owner repo;
          };
          exact = false;
        };
      };
      settings = {
        allowed-users = ["@nixbuilder"];
        experimental-features = lib.optional (lib.versionAtLeast config.nix.package.version "2.4") "nix-command flakes";
        substituters = [
          "https://gensokyo-infrastructure.cachix.org"
          "https://arc.cachix.org"
          "https://kittywitch.cachix.org"
          "https://nix-community.cachix.org"
        ];
        trusted-public-keys = [
          "gensokyo-infrastructure.cachix.org-1:CY6ChfQ8KTUdwWoMbo8ZWr2QCLMXUQspHAxywnS2FyI="
          "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY="
          "kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0="
          "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
          "ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI="
        ];
        trusted-users = ["root" "@wheel"];
      };
      extraOptions = mkIf hasSops ''
        !include ${config.sops.secrets.github-access-token-public.path}
      '';
      gc = {
        automatic = mkDefault true;
        dates = mkDefault "Mon 02:45";
        options = mkDefault "--delete-older-than 12d";
      };
      optimise = {
        automatic = mkAlmostDefault true;
        dates = mkDefault ["03:25"];
      };
    };
    ${
      if hasSops
      then "sops"
      else null
    }.secrets.github-access-token-public = {
      sopsFile = mkDefault ../secrets/nix.yaml;
      group = mkDefault "users";
      mode = mkDefault "0640";
    };
  };
}