build(nasp): refactor&modulize ->nvidia,docker,nginx,registry
This commit is contained in:
parent
17402e4bef
commit
e8257c15df
|
|
@ -2,12 +2,29 @@
|
||||||
|
|
||||||
let
|
let
|
||||||
mainCfg = config.nasp;
|
mainCfg = config.nasp;
|
||||||
|
nvidiaCfg = mainCfg.nvidia;
|
||||||
|
dockerCfg = mainCfg.docker;
|
||||||
|
nginxCfg = mainCfg.nginx;
|
||||||
|
registryCfg = mainCfg.registry;
|
||||||
gCfg = mainCfg.gSeries;
|
gCfg = mainCfg.gSeries;
|
||||||
dnew = (pkgs.writeShellScriptBin "dnew" (builtins.readFile ./scripts/dnew));
|
dnew = (pkgs.writeShellScriptBin "dnew" (builtins.readFile ./scripts/dnew));
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.nasp = {
|
options.nasp = {
|
||||||
enable = lib.mkEnableOption "the nasp server configurations";
|
enable = lib.mkEnableOption "the nasp server configurations";
|
||||||
|
nvidia = {
|
||||||
|
enable = lib.mkEnableOption "nvidia gpu support";
|
||||||
|
};
|
||||||
|
docker = {
|
||||||
|
enable = lib.mkEnableOption "docker runtime";
|
||||||
|
};
|
||||||
|
nginx = {
|
||||||
|
enable = lib.mkEnableOption "nginx web server";
|
||||||
|
enableCodeServer = lib.mkEnableOption "proxy code server in docker";
|
||||||
|
};
|
||||||
|
registry = {
|
||||||
|
enable = lib.mkEnableOption "the nasp registry";
|
||||||
|
};
|
||||||
gSeries = {
|
gSeries = {
|
||||||
enable = lib.mkEnableOption "the g-series server configurations";
|
enable = lib.mkEnableOption "the g-series server configurations";
|
||||||
serial = lib.mkOption {
|
serial = lib.mkOption {
|
||||||
|
|
@ -108,11 +125,16 @@ in
|
||||||
hashedPassword = "$y$j9T$Ei67I7VhQD6gF20/lNBUx0$jnrLqLNSJVCS959deKCamoOi4Q76nNeQ7/kDQCCABl1";
|
hashedPassword = "$y$j9T$Ei67I7VhQD6gF20/lNBUx0$jnrLqLNSJVCS959deKCamoOi4Q76nNeQ7/kDQCCABl1";
|
||||||
};
|
};
|
||||||
users.groups.nasp = {};
|
users.groups.nasp = {};
|
||||||
|
## desktop
|
||||||
|
services.xserver = {
|
||||||
|
enable = true;
|
||||||
|
displayManager.gdm.enable = true;
|
||||||
|
desktopManager.gnome.enable = true;
|
||||||
|
xkb.layout = "us";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
# g series
|
# nvidia
|
||||||
(lib.mkIf (gCfg.enable) (let
|
(lib.mkIf (nvidiaCfg.enable) {
|
||||||
ipSuffix = (builtins.toString (gCfg.serial + 100)); in {
|
|
||||||
## hardware
|
|
||||||
nixpkgs.config.nvidia.acceptLicense = true;
|
nixpkgs.config.nvidia.acceptLicense = true;
|
||||||
hardware.nvidia = {
|
hardware.nvidia = {
|
||||||
package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
|
package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
|
||||||
|
|
@ -127,6 +149,82 @@ in
|
||||||
driSupport = true;
|
driSupport = true;
|
||||||
driSupport32Bit = true;
|
driSupport32Bit = true;
|
||||||
};
|
};
|
||||||
|
virtualisation.docker.enableNvidia = true;
|
||||||
|
services.xserver.videoDrivers = [ "nvidia" ];
|
||||||
|
})
|
||||||
|
# docker
|
||||||
|
(lib.mkIf (dockerCfg.enable) {
|
||||||
|
virtualisation.docker = {
|
||||||
|
enable = true;
|
||||||
|
daemon.settings = {
|
||||||
|
ipv6 = true;
|
||||||
|
fixed-cidr-v6 = "fddd:d0c1:1::/64";
|
||||||
|
experimental = true;
|
||||||
|
ip6tables = true;
|
||||||
|
live-restore = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
dnew
|
||||||
|
];
|
||||||
|
})
|
||||||
|
# nginx
|
||||||
|
(lib.mkIf (nginxCfg.enable) {
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
virtualHosts."default" = {
|
||||||
|
serverName = "_";
|
||||||
|
default = true;
|
||||||
|
locations."/" = {
|
||||||
|
return = "404";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
})
|
||||||
|
(lib.mkIf (nginxCfg.enable && nginxCfg.enableCodeServer) {
|
||||||
|
services.nginx.virtualHosts."code-server" = {
|
||||||
|
serverName = "proxy.nasp.fit";
|
||||||
|
locations."~ ^/${config.networking.hostName}/([A-Za-z0-9]+)/(.*)" = {
|
||||||
|
extraConfig = ''
|
||||||
|
rewrite "^/${config.networking.hostName}/([A-Za-z0-9]+)/(.*)" /$2 break;
|
||||||
|
proxy_pass "http://unix:/home2/run/$1.sock";
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection upgrade;
|
||||||
|
proxy_set_header Accept-Encoding gzip;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
})
|
||||||
|
# registry
|
||||||
|
(lib.mkIf (registryCfg.enable) {
|
||||||
|
systemd.timers."registry" = {
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
timerConfig = {
|
||||||
|
OnCalendar = "*:0/5:0";
|
||||||
|
Unit = "registry.service";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.services."registry" = {
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = "root";
|
||||||
|
};
|
||||||
|
script = builtins.readFile ./scripts/registry.sh;
|
||||||
|
path = with pkgs; [ git bash su ];
|
||||||
|
};
|
||||||
|
security.sudo.extraConfig = ''
|
||||||
|
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/docker
|
||||||
|
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/reboot
|
||||||
|
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/whoami
|
||||||
|
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/nvidia-smi
|
||||||
|
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/shutdown
|
||||||
|
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/ip
|
||||||
|
'';
|
||||||
|
})
|
||||||
|
# g series
|
||||||
|
(lib.mkIf (gCfg.enable) (let
|
||||||
|
ipSuffix = (builtins.toString (gCfg.serial + 100)); in {
|
||||||
## network
|
## network
|
||||||
networking.hostName = assert (gCfg.serial > 0); "g" + (builtins.toString gCfg.serial);
|
networking.hostName = assert (gCfg.serial > 0); "g" + (builtins.toString gCfg.serial);
|
||||||
networking.search = [ "nasp" ];
|
networking.search = [ "nasp" ];
|
||||||
|
|
@ -198,86 +296,11 @@ in
|
||||||
interfaces = [ "${gCfg.eth2Name}" ];
|
interfaces = [ "${gCfg.eth2Name}" ];
|
||||||
};
|
};
|
||||||
## packages and services
|
## packages and services
|
||||||
environment.systemPackages = with pkgs; [
|
nasp.docker.enable = true;
|
||||||
# custom
|
nasp.nvidia.enable = true;
|
||||||
dnew
|
nasp.registry.enable = true;
|
||||||
];
|
nasp.nginx.enable = true;
|
||||||
systemd.timers."registry" = {
|
nasp.nginx.enableCodeServer = true;
|
||||||
wantedBy = [ "timers.target" ];
|
|
||||||
timerConfig = {
|
|
||||||
OnCalendar = "*:0/5:0";
|
|
||||||
Unit = "registry.service";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
systemd.services."registry" = {
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
User = "root";
|
|
||||||
};
|
|
||||||
script = builtins.readFile ./scripts/registry.sh;
|
|
||||||
path = with pkgs; [ git bash su ];
|
|
||||||
};
|
|
||||||
## desktop
|
|
||||||
services.xserver = {
|
|
||||||
enable = true;
|
|
||||||
videoDrivers = [ "nvidia" ];
|
|
||||||
displayManager.gdm.enable = true;
|
|
||||||
desktopManager.gnome = {
|
|
||||||
enable = true;
|
|
||||||
extraGSettingsOverridePackages = [ pkgs.gnome.mutter ];
|
|
||||||
extraGSettingsOverrides = ''
|
|
||||||
[org.gnome.mutter]
|
|
||||||
experimental-features=['scale-monitor-framebuffer']
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
layout = "us";
|
|
||||||
xkbVariant = "";
|
|
||||||
};
|
|
||||||
## docker
|
|
||||||
virtualisation.docker = {
|
|
||||||
enable = true;
|
|
||||||
enableNvidia = true;
|
|
||||||
daemon.settings = {
|
|
||||||
ipv6 = true;
|
|
||||||
fixed-cidr-v6 = "fddd:d0c1:1::/64";
|
|
||||||
experimental = true;
|
|
||||||
ip6tables = true;
|
|
||||||
live-restore = false;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
## users
|
|
||||||
security.sudo.extraConfig = ''
|
|
||||||
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/docker
|
|
||||||
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/reboot
|
|
||||||
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/whoami
|
|
||||||
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/nvidia-smi
|
|
||||||
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/shutdown
|
|
||||||
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/ip
|
|
||||||
'';
|
|
||||||
## nginx
|
|
||||||
services.nginx = {
|
|
||||||
enable = true;
|
|
||||||
virtualHosts."default" = {
|
|
||||||
serverName = "_";
|
|
||||||
default = true;
|
|
||||||
locations."/" = {
|
|
||||||
return = "404";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
virtualHosts."code-server" = {
|
|
||||||
serverName = "proxy.nasp.fit";
|
|
||||||
locations."~ ^/${config.networking.hostName}/([A-Za-z0-9]+)/(.*)" = {
|
|
||||||
extraConfig = ''
|
|
||||||
rewrite "^/${config.networking.hostName}/([A-Za-z0-9]+)/(.*)" /$2 break;
|
|
||||||
proxy_pass "http://unix:/home2/run/$1.sock";
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection upgrade;
|
|
||||||
proxy_set_header Accept-Encoding gzip;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}))
|
}))
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user