feat: add web-server

.gitignore

@@ -0,0 +1 @@
+result

flake.nix

@@ -23,6 +23,7 @@
       "g14"
       "g17"
       "g18-next"
+      "web-server"
     ];
   in
   {

hosts/web-server/configuration.nix

@@ -4,28 +4,19 @@
   imports =
     [
       ./hardware-configuration.nix
+      ../modules/nasp.nix
     ];
 
+  nasp = {
+    enable = true;
+  };
+
   ## nix
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
-  nix.settings.substituters = [ "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ];
   ## hardware and system
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
   time.hardwareClockInLocalTime = true;
-  i18n.defaultLocale = "C.UTF-8";
-  i18n.extraLocaleSettings = lib.mkDefault {
-    LC_ADDRESS = "zh_CN.UTF-8";
-    LC_IDENTIFICATION = "zh_CN.UTF-8";
-    LC_MEASUREMENT = "zh_CN.UTF-8";
-    LC_MONETARY = "zh_CN.UTF-8";
-    LC_NAME = "zh_CN.UTF-8";
-    LC_NUMERIC = "zh_CN.UTF-8";
-    LC_PAPER = "zh_CN.UTF-8";
-    LC_TELEPHONE = "zh_CN.UTF-8";
-    LC_TIME = "zh_CN.UTF-8";
-  };
-  time.timeZone = lib.mkDefault "Asia/Shanghai";
   ## network
   services.resolved.enable = true;
   networking.nameservers = [
@@ -38,54 +29,6 @@
   networking.firewall.allowedTCPPorts = [ 80 443 12022 ];
   ## packages and services
   nixpkgs.config.allowUnfree = true;
-  environment.systemPackages = with pkgs; [
-    bash cmake curl file fzf gcc git gnumake htop nettools inetutils iproute2 iputils less man
-    openssh openssl python3 rdma-core sops sudo tmux util-linux vim wget zsh
-    # extended
-    acpi atop btop dialog dig dmidecode dos2unix ethtool fish gnupg iftop iotop killall lshw
-    lsof mtr netcat-gnu nethogs nmap pciutils plocate pstree pwgen ripgrep smartmontools socat
-    sysstat tcpdump unzip usbutils virt-what zip
-    # full
-    wireshark zmap
-  ];
-  programs.zsh.enable = true;
-  programs.nix-ld.enable = true;
-  services.cron.enable = true;
-  services.openssh.enable = true;
-  services.openssh.settings.PermitRootLogin = "prohibit-password";
-  services.openssh.settings.PasswordAuthentication = false;
-  services.openssh.authorizedKeysFiles = [ ".ssh/authorized_keys2" ];
-  services.openssh.ports = [ 12022 ];
-  systemd.targets.sleep.enable = false;
-  systemd.targets.suspend.enable = false;
-  systemd.targets.hibernate.enable = false;
-  systemd.targets.hybrid-sleep.enable = false;
-  ## users
-  users.mutableUsers = false;
-  users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUN7IXF4nlFcVfgHesgik3LIAiXlVMYJPm3yD13EVarQx5jqdBgk8Dwgkgf4rPO6MFpvIpinOyEO8zOS6HHQrCLZUv5yTFaDkUuB7eQ0EmpicGbmk9bHqj1HkOZxaobkpEfQUmFKYvkp4EexVw66sO0qfXvjHZ4H6yCAJLK5aUnKfgrE8tODzP82sU/mpJjW+Pq3uanNq754gaHwhxCIXG143/zp8qzBAeKe38xVqqDq9fTkG4hvzFvkRdS88i6l1z++0P3n0HGdOjtSg7P7fO7+7ZyPYr0gO5vB720Om/zxqPrGd9cicWi4P+aVKa+0ujWH/pqufWG6uCjKWHnBs7 sk0/piv/9a"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLYgVj+NPino6sOmahULN7SbAMaVAgzqPfDjz2S8zDv pc1/windows"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhS4voo3K/Dvzqckr0bouO1WkCI5XxswstHWnuuyKBz ltp1-bd"
-  ];
-  users.users.root.shell = pkgs.zsh;
-  system.activationScripts.dotfilesSetup.text = ''
-    if [ -d ~ -a ! -e ~/dotfiles/update.sh ]; then
-      source ${config.system.build.setEnvironment}
-      rm -rf ~/dotfiles
-      bash <(curl -fsSL dotfiles.cn)
-    fi
-  '';
-  users.users.nasp = {
-    isNormalUser = true;
-    createHome = true;
-    group = "nasp";
-    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-    packages = with pkgs; [
-      firefox
-    ];
-    hashedPassword = "$y$j9T$PA/kAY8wcMuHBSz/3Elie.$eHtZUNqCIfAdRBHdCUzuCodaJqcpcYv9nF03wIHX3zD";
-  };
-  users.groups.nasp = {};
   ## desktop
   services.xserver = {
     enable = true;
@@ -95,18 +38,18 @@
   };
 
   # networking
-  networking.hostName = "nasp-web-server";
+  networking.hostName = "web-server";
   systemd.network.networks."10-thunet" = {
-    matchConfig.Name = "xxx";  # TODO
+    matchConfig.Name = "enp3s0f0";
     networkConfig = {
       DHCP = "no";
       IPv6AcceptRA = false;
     };
-    address = [ "166.111.68.109/24" ];  # TODO
+    address = [ "166.111.68.109/28" ];
     routes = [
       {
         routeConfig = {
-          Gateway = "166.111.68.1";  # TODO
+          Gateway = "166.111.68.97";
           GatewayOnLink = true;
           Metric = 90;
         };
@@ -126,6 +69,10 @@
       };
     };
   };
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "xd21@mails.tsinghua.edu.cn";
+  };
 
   system.stateVersion = "24.05";
 }

hosts/web-server/hardware-configuration.nix

@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/4bc05f99-244b-4af9-a751-4eb80199857c";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/75A7-1EBE";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}