Flakes and little convenient impurity escape hatch

Started using flakes recently? But then you found that:

  1. You need per-machine configuration for experimentation/secrets (well, e.g firewall config), but don’t want to publish them.
  2. Your configuration is against your usual quality standards, so it’d be shame to show them to the world.

Here’s one solution to that - works similarly to how current NixOS deployments are still done.

flake.nix

{
  inputs = {
    impure-local.url = "path:./impure-local";
    impure-local.flake = false;
  };

  outputs = { nixpkgs, impure-local }: {
    nixosConfigurations."impure" = nixpkgs.lib.nixosSystem {
      system = "aarch64-linux";
      modules = [
        "${impure-local}"
      ];
    };
  };
}

impure-local (directory)

$ mkdir -p ./impure-local
$ echo '{ ... }: {}' > ./impure-local/default.nix
$ nix flake lock

Keep this in your repository at all times, it’ll be used when override is not specified, and helps to keep flake.lock hash constant.

Usage

$ nixos-rebuild build --flake '.#impure' --override-input impure-local path:/etc/nixos

Keep in mind that --override-input impure-local ./path will not work! You need to prefix it with path: (like path:./path), otherwise Nix won’t pick the correct directory (sounds like a bug?):

warning: Git tree '/home/mark/home' is dirty
warning: Git tree '/home/mark/home' is dirty
warning: not writing modified lock file of flake 'git+file:///home/mark/home':
• Updated input 'impure-local':
    'path:./impure-local?narHash=sha256-6pJ2Ev9tyW6cLAwqqqb5+VUhqvlVne1+IlB9DtFc0Fo='
  → 'git+file:///home/mark/home?dir=impure-local' (2022-03-20)
error: getting status of '/nix/store/pjc26z765hj1gqhs2cac81g58fk5gvgr-source/default.nix': No such file or directory

Pros

Cons

Example configurations using this