From 0a17a8c1a8ae6ac679a3225980d7bb11a64ec90c Mon Sep 17 00:00:00 2001
From: guangtao <gtrunsec@hardenedlinux.org>
Date: Wed, 11 Oct 2023 01:35:58 -0700
Subject: [PATCH] feat(darwinProfiles): add nix

---
 flake.lock                                    |  6 +--
 nixos/darwinProfiles/presets/nix/default.nix  | 39 +++++++++++++++++++
 nixos/darwinProfiles/presets/nix/optimise.nix | 33 ++++++++++++++++
 tests/_snapshots/darwin                       |  4 ++
 tests/darwin/expr.nix                         |  6 +++
 5 files changed, 85 insertions(+), 3 deletions(-)
 create mode 100644 nixos/darwinProfiles/presets/nix/default.nix
 create mode 100644 nixos/darwinProfiles/presets/nix/optimise.nix

diff --git a/flake.lock b/flake.lock
index 99332c5..891ed28 100644
--- a/flake.lock
+++ b/flake.lock
@@ -78,11 +78,11 @@
         "yants": "yants"
       },
       "locked": {
-        "lastModified": 1696927051,
-        "narHash": "sha256-6l7xdYAS77Eqruv8/acx3uVcYPMaxDga2QWPPVXOaZc=",
+        "lastModified": 1697013157,
+        "narHash": "sha256-cu7V3jcTqk+zzEwPGNWj61nD76Fe8KZgN/BtuNO5rZQ=",
         "owner": "gtrunsec",
         "repo": "flops",
-        "rev": "5bea3b358b8b5745b6f19e4678a643c57110f0fe",
+        "rev": "dd2aeb15b7d4c4ccc3d6c03aed403f0e14b1127a",
         "type": "github"
       },
       "original": {
diff --git a/nixos/darwinProfiles/presets/nix/default.nix b/nixos/darwinProfiles/presets/nix/default.nix
new file mode 100644
index 0000000..f40d5c8
--- /dev/null
+++ b/nixos/darwinProfiles/presets/nix/default.nix
@@ -0,0 +1,39 @@
+{
+  lib,
+  pkgs,
+  loadSubmodule,
+}:
+let
+  l = lib // builtins;
+  inherit (pkgs.stdenv.hostPlatform) isAarch64;
+in
+{
+  imports = [ (loadSubmodule ./optimise.nix) ];
+  nix = {
+    package = pkgs.nixUnstable;
+    configureBuildUsers = true;
+    settings = {
+      # Administrative users on Darwin systems are part of the admin group.
+      trusted-users = [ "@admin" ];
+      extra-platforms = l.mkIf isAarch64 [
+        "x86_64-darwin"
+        "aarch64-darwin"
+      ];
+      auto-optimise-store = false;
+      experimental-features = [
+        "nix-command"
+        "flakes"
+        "recursive-nix"
+      ];
+      sandbox = false;
+      # https://github.com/NixOS/nix/issues/7273
+    };
+    extraOptions = ''
+      # https://plutus-community.readthedocs.io/en/latest/#Environment/Build/Mac_M1/
+      extra-sandbox-paths = /System/Library/Frameworks /System/Library/PrivateFrameworks /usr/lib /private/tmp /private/var/tmp /usr/bin/env
+    '';
+  };
+  services.nix-daemon.enable = true;
+  # Recreate /run/current-system symlink after boot
+  # services.activate-system.enable = true;
+}
diff --git a/nixos/darwinProfiles/presets/nix/optimise.nix b/nixos/darwinProfiles/presets/nix/optimise.nix
new file mode 100644
index 0000000..0a4c1cc
--- /dev/null
+++ b/nixos/darwinProfiles/presets/nix/optimise.nix
@@ -0,0 +1,33 @@
+# credit: https://github.com/montchr/dotfield/blob/68f6c9c3f6cc67c5c775b8a2a3f93cae6a76b3a5/profiles/darwinProfiles/core/nix-optimizations-darwin.nix#L9
+{ config }:
+{
+  nix.settings.auto-optimise-store = false;
+  # While it’s possible to set `auto-optimise-store` in `nix.conf`, it sometimes causes problems
+  # on Darwin.  Run a job periodically to optimise the store.
+  launchd.daemons."nix-store-optimise".serviceConfig = {
+    ProgramArguments = [
+      "/bin/sh"
+      "-c"
+      ''
+        /bin/wait4path ${config.nix.package}/bin/nix && \
+          exec ${config.nix.package}/bin/nix store optimise
+      ''
+    ];
+    StartCalendarInterval = [ {
+      Hour = 2;
+      Minute = 0;
+    } ];
+    StandardErrorPath = "/var/log/nix-store.log";
+    StandardOutPath = "/var/log/nix-store.log";
+  };
+
+  nix.gc = {
+    automatic = true;
+    interval = {
+      Weekday = 0;
+      Hour = 2;
+      Minute = 0;
+    };
+    options = "--delete-older-than 30d";
+  };
+}
diff --git a/tests/_snapshots/darwin b/tests/_snapshots/darwin
index 622ba19..e9be12a 100644
--- a/tests/_snapshots/darwin
+++ b/tests/_snapshots/darwin
@@ -32,4 +32,8 @@
       name = "font-fontawesome";
     }
   ];
+  darwinNixProfile = ''
+    # https://plutus-community.readthedocs.io/en/latest/#Environment/Build/Mac_M1/
+    extra-sandbox-paths = /System/Library/Frameworks /System/Library/PrivateFrameworks /usr/lib /private/tmp /private/var/tmp /usr/bin/env
+  '';
 }
\ No newline at end of file
diff --git a/tests/darwin/expr.nix b/tests/darwin/expr.nix
index a523c3c..9decc34 100644
--- a/tests/darwin/expr.nix
+++ b/tests/darwin/expr.nix
@@ -12,7 +12,13 @@ in
   darwinFontProfile =
     (exporter.layouts.darwinConfiguration [
       omnibus.darwinProfiles.presets.homebrew
+      omnibus.darwinProfiles.presets.nix
       { homebrew.__profiles__.fonts = true; }
     ]).config.homebrew.casks;
+
+  darwinNixProfile =
+    (exporter.layouts.darwinConfiguration [ omnibus.darwinProfiles.presets.nix ])
+    .config.nix.extraOptions;
 }
+
 // lib.optionalAttrs trace { }