dotfiles/etc/nix/nix.conf, branch masterMy linux config and rc fileshttps://git.sommerfeld.dev/dotfiles/atom/etc/nix/nix.conf?h=master2026-05-13T12:43:40Zfeat(nix): saturate builds, add community cache, pin nixpkgs registry2026-05-13T12:43:40Zsommerfeldsommerfeld@sommerfeld.dev2026-05-13T12:43:40Zurn:sha1:26fc82ade8e6fde6858df1ed53bafa64719f2f15
- Drop auto-optimise-store: slows every build for modest disk savings.
Run 'nix store optimise' manually if disk pressure ever shows up.
- max-jobs=auto, cores=0: defaults are 1/1, which left most of the box
idle during large closures (LLVM, protobuf, …).
- Add nix-community.cachix.org as an extra substituter with its public
key. Big hit-rate boost against nixos-unstable, which is what the new
user registry points 'nixpkgs' at.
- dot_config/nix/registry.json pins 'nixpkgs' indirect ref to
github:NixOS/nixpkgs/nixos-unstable, so 'nix shell nixpkgs#foo' is
fast + reproducible. Project flakes are unaffected — they pin their
own inputs via flake.lock.
refactor(nftables): minimize diff against upstream pristine2026-05-13T12:43:36Zsommerfeldsommerfeld@sommerfeld.dev2026-05-13T12:43:36Zurn:sha1:fd06e5313c257648b10a56b9c4151d701fba7d43
The previous custom config rewrote the file to 4-space indentation,
added an explicit accept-policy output chain, and expanded the icmp
section into per-type whitelists. None of that changed observable
behaviour vs the stock arch nftables.conf:
* Stock already uses scoped `destroy table inet filter` (so podman
and netavark tables survive a reload).
* `meta l4proto { icmp, icmpv6 } accept` already covers NDP, MLD,
PMTUD, and echo — the explicit per-type list was equivalent.
* Without an output chain, outbound traffic is unfiltered, which is
identical to `policy accept` on an explicit output chain.
* DHCPv6 client (UDP/546) is only needed on networks that hand out
DHCPv6 leases; my home/work LANs use SLAAC + RDNSS, and the rare
DHCPv6 case can be added back in one line if it ever bites.
The only laptop-specific deviation is dropping the
`tcp dport ssh accept` line — no inbound SSH on a portable machine.
Net diff against pristine is now a single deletion, which makes
`just etc-upstream-diff` actually useful for spotting upstream
ruleset improvements on package updates.
feat(nix): hybrid setup with flakes + direnv for per-project dev shells2026-05-13T12:43:24Zsommerfeldsommerfeld@sommerfeld.dev2026-05-13T12:43:24Zurn:sha1:ebad39adab212ab4e26f9a98befa0048c7eea710
Install Nix (multi-user daemon) on Arch and wire up direnv so any project
can declare its toolchain in a flake.nix and get a hermetic dev shell on
cd. No NixOS, no home-manager, no migration off paru/chezmoi — just one
new package manager scoped to project dev shells.
- meta/nix.txt: nix from extra repo
- meta/dev.txt: direnv (general-purpose, not nix-specific)
- systemd-units/system/nix.txt: nix-daemon.socket (socket-activated)
- etc/nix/nix.conf: enable flakes + nix-command, trusted-users=@wheel,
auto-optimise-store, keep-outputs/derivations so direnv envs survive GC
- dot_config/direnv/direnvrc: load nix-direnv 3.1.1 via source_url with
pinned sha256 (not packaged for Arch; refusing -git AUR)
- dot_config/nix/templates/{flake.nix,dev/}: flake template usable via
'nix flake init -t ~/.config/nix/templates'
- dot_config/zsh/dot_zshrc: 'eval "$(direnv hook zsh)"'