nixos/nixos/modules/nix.nix

{
  inputs,
  config,
  outputs,
  pkgs,
  lib,
  ...
}: {
  config = {
    nixpkgs = {
      config = {
        allowUnfree = true;
        allowInsecurePredicate = p:
          builtins.elem (lib.getName p) [
            # for fluffychat and neochat
            "olm"

            "fluffychat-linux"
          ];
      };
    };
    sops.secrets."access-tokens" = {
      mode = "0444";
    };
    nix = {
      nixPath = ["nixpkgs=${inputs.nixpkgs}"];
      extraOptions = ''
        !include ${config.sops.secrets."access-tokens".path}
      '';
      settings = {
        inherit (outputs.nix.settings) substituters;
        trusted-users = [
          "root"
          "@wheel"
        ];
        trusted-public-keys = [
          "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
          "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
        ];
        auto-optimise-store = lib.mkDefault true;
        experimental-features =
          [
            "nix-command"
            "flakes"
          ]
          ++ (lib.optional config.lix.enable "pipe-operator")
          ++ (lib.optional (!config.lix.enable) "pipe-operators");
        warn-dirty = false;
        system-features = [
          "kvm"
          "big-parallel"
        ];
        use-xdg-base-directories = true;
        builders-use-substitutes = true;
      };
      package = pkgs.nix;
      registry.sys = lib.mkDefault {
        from = {
          type = "indirect";
          id = "sys";
        };
        flake = inputs.nixpkgs;
      };
    };
  };
}