NASP/NixOS-Config
35
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

build(nasp): refactor

Browse Source
This commit is contained in:
Dict Xiong 2024-05-29 23:52:49 +08:00
parent 4dc50acbe8
commit e9d6ec88ab
2 changed files with 237 additions and 225 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
hosts/g2/configuration.nix
View File

@ -7,8 +7,10 @@
../modules/nasp.nix
];
nasp = {
serial = 2;
network = {
enable = true;
gSeries = {
enable = true;
serial = 2;
eth0Name = "eno1";
eth1Name = "eno2";
eth2Name = "enp2s0np0";

456
hosts/modules/nasp.nix
View File

@ -2,18 +2,18 @@
let
mainCfg = config.nasp;
networkCfg = mainCfg.network;
hostName = ("g" + (builtins.toString mainCfg.serial));
ipSuffix = (builtins.toString (mainCfg.serial + 100));
gCfg = mainCfg.gSeries;
dnew = (pkgs.writeShellScriptBin "dnew" (builtins.readFile ./scripts/dnew));
in
{
options.nasp = {
serial = lib.mkOption {
type = lib.types.int;
description = "Serial of the machine (gX)";
};
network = {
enable = lib.mkEnableOption "the nasp server configurations";
gSeries = {
enable = lib.mkEnableOption "the g-series server configurations";
serial = lib.mkOption {
type = lib.types.int;
description = "Serial of the machine (gX)";
};
eth0Name = lib.mkOption {
type = lib.types.str;
description = "Name of eth0 (192.168.16.0/24)";
@ -30,220 +30,230 @@ in
};
# inplementation
config = {
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.settings.substituters = [ "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ];
## system config
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
time.hardwareClockInLocalTime = true;
networking.hostName = assert (mainCfg.serial > 0); hostName;
networking.search = [ "nasp" ];
i18n.defaultLocale = "C.UTF-8";
i18n.extraLocaleSettings = lib.mkDefault {
LC_ADDRESS = "zh_CN.UTF-8";
LC_IDENTIFICATION = "zh_CN.UTF-8";
LC_MEASUREMENT = "zh_CN.UTF-8";
LC_MONETARY = "zh_CN.UTF-8";
LC_NAME = "zh_CN.UTF-8";
LC_NUMERIC = "zh_CN.UTF-8";
LC_PAPER = "zh_CN.UTF-8";
LC_TELEPHONE = "zh_CN.UTF-8";
LC_TIME = "zh_CN.UTF-8";
};
time.timeZone = lib.mkDefault "Asia/Shanghai";
## networking
networking.nameservers = [ "192.168.16.118" ];
services.resolved.enable = true;
networking.networkmanager.enable = false;
networking.useDHCP = false;
systemd.network.enable = true;
systemd.network.networks."10-eth0" = {
matchConfig.Name = networkCfg.eth0Name;
networkConfig = {
DHCP = "no";
IPv6AcceptRA = true;
};
address = [ "192.168.16.${ipSuffix}/24" ];
routes = [
{
routeConfig = {
Gateway = "192.168.16.118";
GatewayOnLink = true;
Metric = 90;
};
}
{
routeConfig = {
Gateway = "2001:da8:bf:300::1";
GatewayOnLink = true;
Metric = 90;
};
}
];
};
systemd.network.networks."10-eth1" = {
matchConfig.Name = networkCfg.eth1Name;
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
};
systemd.network.networks."10-eth2" = {
matchConfig.Name = networkCfg.eth2Name;
address = [ "12.12.12.${ipSuffix}/24" ];
};
networking.interfaces.eno1.wakeOnLan.enable = true;
networking.extraHosts = ''
192.168.16.101 g1-nasp g1
192.168.16.102 g2-nasp g2
192.168.16.103 g3-nasp g3
192.168.16.104 g4-nasp g4
192.168.16.105 g5-nasp g5
192.168.16.106 g6-nasp g6
192.168.16.107 g7-nasp g7
192.168.16.108 g8-nasp g8
192.168.16.109 g9-nasp g9
192.168.16.110 g10-nasp g10
192.168.16.111 g11-nasp g11
192.168.16.112 g12-nasp g12
192.168.16.113 g13-nasp g13
192.168.16.114 g14-nasp g14
192.168.16.115 g15-nasp g15
192.168.16.116 g16-nasp g16
192.168.16.117 g17-nasp g17
192.168.16.118 g18-nasp g18 nasp.fit git.nasp.fit
192.168.16.119 g19-nasp g19
192.168.16.120 g20-nasp g20
'';
networking.firewall = {
allowedTCPPorts = [ 12022 ];
extraCommands = ''
iptables -A INPUT -s 192.168.16.0/24 -j ACCEPT
iptables -A INPUT -s 12.12.12.0/24 -j ACCEPT
'';
};
networking.rxe = {
enable = true;
interfaces = [ "${networkCfg.eth2Name}" ];
};
## packages and services
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
bash cmake curl file fzf gcc git gnumake htop nettools inetutils iproute2 iputils less man
openssh openssl python3 rdma-core sops sudo tmux util-linux vim wget zsh
# extended
acpi atop btop dialog dig dmidecode dos2unix ethtool fish iftop iotop killall lshw lsof
mtr netcat-gnu nethogs nmap pciutils plocate pstree pwgen ripgrep smartmontools socat
sysstat tcpdump unzip usbutils virt-what zip
# full
wireshark zmap
# custom
dnew
];
programs.zsh.enable = true;
services.cron.enable = true;
systemd.timers."registry" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*:0/5:0";
Unit = "registry.service";
};
};
systemd.services."registry" = {
serviceConfig = {
Type = "oneshot";
User = "root";
};
script = builtins.readFile ./scripts/registry.sh;
path = [ pkgs.git pkgs.bash pkgs.su ];
};
## user config
users.users.root.shell = pkgs.zsh;
## dotfiles.cn
system.activationScripts.dotfilesSetup.text = ''
if [ -d ~ -a ! -e ~/dotfiles/update.sh ]; then
source ${config.system.build.setEnvironment}
rm -rf ~/dotfiles
bash <(curl -fsSL dotfiles.cn)
fi
'';
## server
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "prohibit-password";
services.openssh.authorizedKeysFiles = [ ".ssh/authorized_keys2" ];
services.openssh.ports = [ 12022 ];
systemd.targets.sleep.enable = false;
systemd.targets.suspend.enable = false;
systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false;
## xserver
services.xserver = {
enable = true;
videoDrivers = [ "nvidia" ];
displayManager.gdm.enable = true;
desktopManager.gnome = {
enable = true;
extraGSettingsOverridePackages = [ pkgs.gnome.mutter ];
extraGSettingsOverrides = ''
[org.gnome.mutter]
experimental-features=['scale-monitor-framebuffer']
config = lib.mkIf mainCfg.enable (lib.mkMerge [
# base
{
## nix
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.settings.substituters = [ "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ];
## hardware and system
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
time.hardwareClockInLocalTime = true;
i18n.defaultLocale = "C.UTF-8";
i18n.extraLocaleSettings = lib.mkDefault {
LC_ADDRESS = "zh_CN.UTF-8";
LC_IDENTIFICATION = "zh_CN.UTF-8";
LC_MEASUREMENT = "zh_CN.UTF-8";
LC_MONETARY = "zh_CN.UTF-8";
LC_NAME = "zh_CN.UTF-8";
LC_NUMERIC = "zh_CN.UTF-8";
LC_PAPER = "zh_CN.UTF-8";
LC_TELEPHONE = "zh_CN.UTF-8";
LC_TIME = "zh_CN.UTF-8";
};
time.timeZone = lib.mkDefault "Asia/Shanghai";
## network
services.resolved.enable = true;
networking.networkmanager.enable = false;
networking.useDHCP = false;
systemd.network.enable = true;
networking.firewall.allowedTCPPorts = [ 12022 ];
## packages and services
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
bash cmake curl file fzf gcc git gnumake htop nettools inetutils iproute2 iputils less man
openssh openssl python3 rdma-core sops sudo tmux util-linux vim wget zsh
# extended
acpi atop btop dialog dig dmidecode dos2unix ethtool fish iftop iotop killall lshw lsof
mtr netcat-gnu nethogs nmap pciutils plocate pstree pwgen ripgrep smartmontools socat
sysstat tcpdump unzip usbutils virt-what zip
# full
wireshark zmap
];
programs.zsh.enable = true;
services.cron.enable = true;
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "prohibit-password";
services.openssh.authorizedKeysFiles = [ ".ssh/authorized_keys2" ];
services.openssh.ports = [ 12022 ];
systemd.targets.sleep.enable = false;
systemd.targets.suspend.enable = false;
systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false;
## users
users.mutableUsers = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUN7IXF4nlFcVfgHesgik3LIAiXlVMYJPm3yD13EVarQx5jqdBgk8Dwgkgf4rPO6MFpvIpinOyEO8zOS6HHQrCLZUv5yTFaDkUuB7eQ0EmpicGbmk9bHqj1HkOZxaobkpEfQUmFKYvkp4EexVw66sO0qfXvjHZ4H6yCAJLK5aUnKfgrE8tODzP82sU/mpJjW+Pq3uanNq754gaHwhxCIXG143/zp8qzBAeKe38xVqqDq9fTkG4hvzFvkRdS88i6l1z++0P3n0HGdOjtSg7P7fO7+7ZyPYr0gO5vB720Om/zxqPrGd9cicWi4P+aVKa+0ujWH/pqufWG6uCjKWHnBs7 sk0/piv/9a"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLYgVj+NPino6sOmahULN7SbAMaVAgzqPfDjz2S8zDv pc1/windows"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhS4voo3K/Dvzqckr0bouO1WkCI5XxswstHWnuuyKBz ltp1-bd"
];
users.users.root.shell = pkgs.zsh;
system.activationScripts.dotfilesSetup.text = ''
if [ -d ~ -a ! -e ~/dotfiles/update.sh ]; then
source ${config.system.build.setEnvironment}
rm -rf ~/dotfiles
bash <(curl -fsSL dotfiles.cn)
fi
'';
};
layout = "us";
xkbVariant = "";
};
## docker
virtualisation.docker = {
enable = true;
enableNvidia = true;
daemon.settings = {
ipv6 = true;
fixed-cidr-v6 = "fddd:d0c1:1::/64";
experimental = true;
ip6tables = true;
live-restore = false;
};
};
nixpkgs.config.nvidia.acceptLicense = true;
hardware.nvidia = {
package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
modesetting.enable = true;
powerManagement.enable = false;
powerManagement.finegrained = false;
open = false;
nvidiaSettings = true;
};
hardware.opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
};
## users
users.mutableUsers = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUN7IXF4nlFcVfgHesgik3LIAiXlVMYJPm3yD13EVarQx5jqdBgk8Dwgkgf4rPO6MFpvIpinOyEO8zOS6HHQrCLZUv5yTFaDkUuB7eQ0EmpicGbmk9bHqj1HkOZxaobkpEfQUmFKYvkp4EexVw66sO0qfXvjHZ4H6yCAJLK5aUnKfgrE8tODzP82sU/mpJjW+Pq3uanNq754gaHwhxCIXG143/zp8qzBAeKe38xVqqDq9fTkG4hvzFvkRdS88i6l1z++0P3n0HGdOjtSg7P7fO7+7ZyPYr0gO5vB720Om/zxqPrGd9cicWi4P+aVKa+0ujWH/pqufWG6uCjKWHnBs7 sk0/piv/9a"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLYgVj+NPino6sOmahULN7SbAMaVAgzqPfDjz2S8zDv pc1/windows"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhS4voo3K/Dvzqckr0bouO1WkCI5XxswstHWnuuyKBz ltp1-bd"
];
users.users.nasp = {
isNormalUser = true;
createHome = true;
group = "nasp";
extraGroups = [ "wheel" ]; # Enable sudo for the user.
packages = with pkgs; [
firefox
];
hashedPassword = "$y$j9T$Ei67I7VhQD6gF20/lNBUx0$jnrLqLNSJVCS959deKCamoOi4Q76nNeQ7/kDQCCABl1";
};
users.groups.nasp = {};
security.sudo.extraConfig = ''
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/docker
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/reboot
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/whoami
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/nvidia-smi
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/shutdown
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/ip
'';
};
users.users.nasp = {
isNormalUser = true;
createHome = true;
group = "nasp";
extraGroups = [ "wheel" ]; # Enable sudo for the user.
packages = with pkgs; [
firefox
];
hashedPassword = "$y$j9T$Ei67I7VhQD6gF20/lNBUx0$jnrLqLNSJVCS959deKCamoOi4Q76nNeQ7/kDQCCABl1";
};
users.groups.nasp = {};
}
# g series
(lib.mkIf (gCfg.enable) let
ipSuffix = (builtins.toString (gCfg.serial + 100));
in {
## hardware
nixpkgs.config.nvidia.acceptLicense = true;
hardware.nvidia = {
package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
modesetting.enable = true;
powerManagement.enable = false;
powerManagement.finegrained = false;
open = false;
nvidiaSettings = true;
};
hardware.opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
};
## network
networking.hostName = assert (gCfg.serial > 0); "g" + (builtins.toString gCfg.serial);
networking.search = [ "nasp" ];
networking.nameservers = [ "192.168.16.118" ];
systemd.network.networks."10-eth0" = {
matchConfig.Name = gCfg.eth0Name;
networkConfig = {
DHCP = "no";
IPv6AcceptRA = true;
};
address = [ "192.168.16.${ipSuffix}/24" ];
routes = [
{
routeConfig = {
Gateway = "192.168.16.118";
GatewayOnLink = true;
Metric = 90;
};
}
{
routeConfig = {
Gateway = "2001:da8:bf:300::1";
GatewayOnLink = true;
Metric = 90;
};
}
];
};
systemd.network.networks."10-eth1" = {
matchConfig.Name = gCfg.eth1Name;
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
};
systemd.network.networks."10-eth2" = {
matchConfig.Name = gCfg.eth2Name;
address = [ "12.12.12.${ipSuffix}/24" ];
};
networking.interfaces.${gCfg.eth0Name}.wakeOnLan.enable = true;
networking.extraHosts = ''
192.168.16.101 g1-nasp g1
192.168.16.102 g2-nasp g2
192.168.16.103 g3-nasp g3
192.168.16.104 g4-nasp g4
192.168.16.105 g5-nasp g5
192.168.16.106 g6-nasp g6
192.168.16.107 g7-nasp g7
192.168.16.108 g8-nasp g8
192.168.16.109 g9-nasp g9
192.168.16.110 g10-nasp g10
192.168.16.111 g11-nasp g11
192.168.16.112 g12-nasp g12
192.168.16.113 g13-nasp g13
192.168.16.114 g14-nasp g14
192.168.16.115 g15-nasp g15
192.168.16.116 g16-nasp g16
192.168.16.117 g17-nasp g17
192.168.16.118 g18-nasp g18 nasp.fit git.nasp.fit
192.168.16.119 g19-nasp g19
192.168.16.120 g20-nasp g20
'';
networking.firewall.extraCommands = ''
iptables -A INPUT -s 192.168.16.0/24 -j ACCEPT
iptables -A INPUT -s 12.12.12.0/24 -j ACCEPT
'';
networking.rxe = {
enable = true;
interfaces = [ "${networkCfg.eth2Name}" ];
};
## packages and services
environment.systemPackages = with pkgs; [
# custom
dnew
];
systemd.timers."registry" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*:0/5:0";
Unit = "registry.service";
};
};
systemd.services."registry" = {
serviceConfig = {
Type = "oneshot";
User = "root";
};
script = builtins.readFile ./scripts/registry.sh;
path = with pkgs; [ git bash su ];
};
## desktop
services.xserver = {
enable = true;
videoDrivers = [ "nvidia" ];
displayManager.gdm.enable = true;
desktopManager.gnome = {
enable = true;
extraGSettingsOverridePackages = [ pkgs.gnome.mutter ];
extraGSettingsOverrides = ''
[org.gnome.mutter]
experimental-features=['scale-monitor-framebuffer']
'';
};
layout = "us";
xkbVariant = "";
};
## docker
virtualisation.docker = {
enable = true;
enableNvidia = true;
daemon.settings = {
ipv6 = true;
fixed-cidr-v6 = "fddd:d0c1:1::/64";
experimental = true;
ip6tables = true;
live-restore = false;
};
};
## users
security.sudo.extraConfig = ''
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/docker
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/reboot
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/whoami
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/nvidia-smi
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/shutdown
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/ip
'';
})
]);
}