import https://github.com/infinisil/sanix

I (Martin) squashed the commits up to the currently latest
(37b7f370e36f1a1e90f746e0a4f80582058f7d55).

6 files changed, 131 insertions, 0 deletions

diff --git a/nixos/README.md b/nixos/README.md
new file mode 100644
index 0000000..5888527
--- /dev/null
+++ b/nixos/README.md
@@ -0,0 +1,76 @@
+# Sane stable stateless NixOS setup
+
+This is a fairly straightforward setup for making a NixOS system configuration stateless without relying on experimental Nix features.
+
+This means:
+- `nix-channel` is disabled
+- Nixpkgs is managed with [niv](https://github.com/nmattia/niv) [^1]
+- The same Nixpkgs is used for the system and all Nix commands
+- This includes the Nixpkgs version, config and overlays
+
+[^1]: Yes niv is a third-party tool, but it's essentially just a nice wrapper around `nix-prefetch-url` and co.
+
+## Usage
+
+We're assuming that you just installed NixOS by going through the [official installation docs](https://nixos.org/manual/nixos/stable/#sec-installation).
+
+### Setup
+
+1. Clone this repo to a local directory and enter it:
+   ```
+   nix-shell -p git --run \
+     'git clone https://github.com/infinisil/sane-stable-nixos nixos'
+   cd nixos
+   ```
+2. Add your initial NixOS configuration files, either
+   - Move your existing configuration files into it:
+     ```
+     sudo mv /etc/nixos/* .
+     ```
+   - Generate new ones:
+     ```
+     nixos-generate-config --dir .
+     ```
+3. Pin Nixpkgs to the [latest stable version](https://nixos.org/manual/nixos/stable/release-notes) using [niv](https://github.com/nmattia/niv):
+   ```
+   nix-shell -p niv --run \
+     'niv init --nixpkgs NixOS/nixpkgs --nixpkgs-branch nixos-23.11'
+   ```
+4. Remove all stateful channels:
+   ```
+   sudo rm -v /nix/var/nix/profiles/per-user/*/channels*
+   ```
+5. Rebuild:
+   ```
+   sudo ./rebuild switch
+   ```
+6. Log out and back in again.
+
+### Making changes
+
+Here are some changes you can make:
+- Change the NixOS configuration in `./configuration.nix`
+- Update the pinned Nixpkgs:
+  ```
+  niv update nixpkgs
+  ```
+- Upgrade to a newer release:
+  ```
+  niv update nixpkgs --branch nixos-23.11
+  ```
+- Change the Nixpkgs config by editing `nixpkgs/config.nix`
+- Add Nixpkgs overlays to `nixpkgs/overlays.nix`
+- Regenerate the hardware configuration:
+  ```
+  nixos-generate-configuration --dir .
+  ```
+
+To apply the changes, run
+```
+sudo ./rebuild switch
+```
+
+All options to `./rebuild` are forwarded to `nixos-rebuild`.
+
+After rebuilding, the changes are reflected in the system.
+Furthermore, all Nix commands on the system will also use the the same values.
diff --git a/nixos/nixpkgs/config.nix b/nixos/nixpkgs/config.nix
new file mode 100644
index 0000000..b53485a
--- /dev/null
+++ b/nixos/nixpkgs/config.nix
@@ -0,0 +1,4 @@
+# https://nixos.org/manual/nixpkgs/stable/#chap-packageconfig
+{
+
+}
diff --git a/nixos/nixpkgs/overlays.nix b/nixos/nixpkgs/overlays.nix
new file mode 100644
index 0000000..613338f
--- /dev/null
+++ b/nixos/nixpkgs/overlays.nix
@@ -0,0 +1,4 @@
+# https://nixos.org/manual/nixpkgs/stable/#sec-overlays-definition
+[
+
+]
diff --git a/nixos/nixpkgs/path.nix b/nixos/nixpkgs/path.nix
new file mode 100644
index 0000000..ea4a74c
--- /dev/null
+++ b/nixos/nixpkgs/path.nix
@@ -0,0 +1,2 @@
+# The Nixpkgs path to use
+(import ../nix/sources.nix).nixpkgs.outPath
diff --git a/nixos/rebuild b/nixos/rebuild
new file mode 100755
index 0000000..2ee7d76
--- /dev/null
+++ b/nixos/rebuild
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# nix-instantiate --eval has no raw mode yet
+nixpkgsPath=$(nix-instantiate --eval --read-write-mode nixpkgs/path.nix | tr -d \")
+# Get the ./root.nix relative to this script
+configPath=$(realpath -- "$(dirname -- "${BASH_SOURCE[0]}")/root.nix")
+
+# nixos-rebuild always reads Nixpkgs from the NIX_PATH,
+# so we need to set it explicitly to our pinned version
+exec nixos-rebuild "$@" -I nixpkgs="$nixpkgsPath" -I nixos-config="$configPath"
diff --git a/nixos/root.nix b/nixos/root.nix
new file mode 100644
index 0000000..b23e091
--- /dev/null
+++ b/nixos/root.nix
@@ -0,0 +1,34 @@
+{ lib, pkgs, config, ... }: {
+  imports = [
+    # Import your main configuration
+    ./configuration.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    # We're using niv to manage the systems Nixpkgs version, install it globally for ease
+    niv
+  ];
+
+  # Use the Nixpkgs config and overlays from the local files for this NixOS build
+  nixpkgs = {
+    config = import ./nixpkgs/config.nix;
+    overlays = import ./nixpkgs/overlays.nix;
+  };
+
+  # Makes commands default to the same Nixpkgs, config, overlays and NixOS configuration
+  nix.nixPath = [
+    "nixpkgs=${pkgs.path}"
+    "nixos-config=${toString ./root.nix}"
+    "nixpkgs-overlays=${toString ./nixpkgs/overlays.nix}"
+  ];
+  environment.variables.NIXPKGS_CONFIG = lib.mkForce (toString ./nixpkgs/config.nix);
+
+  # Remove the stateful nix-channel command
+  environment.extraSetup = ''
+    rm --force $out/bin/nix-channel
+  '';
+
+  # This option is broken when set false, prevent people from setting it to false
+  # And we implement the important bit above ourselves
+  nix.channel.enable = true;
+}