build(nasp): refactor

This commit is contained in:
Dict Xiong 2024-05-29 23:52:49 +08:00
parent 4dc50acbe8
commit e9d6ec88ab
2 changed files with 237 additions and 225 deletions

View File

@ -7,8 +7,10 @@
../modules/nasp.nix ../modules/nasp.nix
]; ];
nasp = { nasp = {
enable = true;
gSeries = {
enable = true;
serial = 2; serial = 2;
network = {
eth0Name = "eno1"; eth0Name = "eno1";
eth1Name = "eno2"; eth1Name = "eno2";
eth2Name = "enp2s0np0"; eth2Name = "enp2s0np0";

View File

@ -2,18 +2,18 @@
let let
mainCfg = config.nasp; mainCfg = config.nasp;
networkCfg = mainCfg.network; gCfg = mainCfg.gSeries;
hostName = ("g" + (builtins.toString mainCfg.serial));
ipSuffix = (builtins.toString (mainCfg.serial + 100));
dnew = (pkgs.writeShellScriptBin "dnew" (builtins.readFile ./scripts/dnew)); dnew = (pkgs.writeShellScriptBin "dnew" (builtins.readFile ./scripts/dnew));
in in
{ {
options.nasp = { options.nasp = {
enable = lib.mkEnableOption "the nasp server configurations";
gSeries = {
enable = lib.mkEnableOption "the g-series server configurations";
serial = lib.mkOption { serial = lib.mkOption {
type = lib.types.int; type = lib.types.int;
description = "Serial of the machine (gX)"; description = "Serial of the machine (gX)";
}; };
network = {
eth0Name = lib.mkOption { eth0Name = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "Name of eth0 (192.168.16.0/24)"; description = "Name of eth0 (192.168.16.0/24)";
@ -30,15 +30,16 @@ in
}; };
# inplementation # inplementation
config = { config = lib.mkIf mainCfg.enable (lib.mkMerge [
# base
{
## nix
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.settings.substituters = [ "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ]; nix.settings.substituters = [ "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ];
## system config ## hardware and system
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
time.hardwareClockInLocalTime = true; time.hardwareClockInLocalTime = true;
networking.hostName = assert (mainCfg.serial > 0); hostName;
networking.search = [ "nasp" ];
i18n.defaultLocale = "C.UTF-8"; i18n.defaultLocale = "C.UTF-8";
i18n.extraLocaleSettings = lib.mkDefault { i18n.extraLocaleSettings = lib.mkDefault {
LC_ADDRESS = "zh_CN.UTF-8"; LC_ADDRESS = "zh_CN.UTF-8";
@ -52,14 +53,86 @@ in
LC_TIME = "zh_CN.UTF-8"; LC_TIME = "zh_CN.UTF-8";
}; };
time.timeZone = lib.mkDefault "Asia/Shanghai"; time.timeZone = lib.mkDefault "Asia/Shanghai";
## networking ## network
networking.nameservers = [ "192.168.16.118" ];
services.resolved.enable = true; services.resolved.enable = true;
networking.networkmanager.enable = false; networking.networkmanager.enable = false;
networking.useDHCP = false; networking.useDHCP = false;
systemd.network.enable = true; systemd.network.enable = true;
networking.firewall.allowedTCPPorts = [ 12022 ];
## packages and services
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
bash cmake curl file fzf gcc git gnumake htop nettools inetutils iproute2 iputils less man
openssh openssl python3 rdma-core sops sudo tmux util-linux vim wget zsh
# extended
acpi atop btop dialog dig dmidecode dos2unix ethtool fish iftop iotop killall lshw lsof
mtr netcat-gnu nethogs nmap pciutils plocate pstree pwgen ripgrep smartmontools socat
sysstat tcpdump unzip usbutils virt-what zip
# full
wireshark zmap
];
programs.zsh.enable = true;
services.cron.enable = true;
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "prohibit-password";
services.openssh.authorizedKeysFiles = [ ".ssh/authorized_keys2" ];
services.openssh.ports = [ 12022 ];
systemd.targets.sleep.enable = false;
systemd.targets.suspend.enable = false;
systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false;
## users
users.mutableUsers = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUN7IXF4nlFcVfgHesgik3LIAiXlVMYJPm3yD13EVarQx5jqdBgk8Dwgkgf4rPO6MFpvIpinOyEO8zOS6HHQrCLZUv5yTFaDkUuB7eQ0EmpicGbmk9bHqj1HkOZxaobkpEfQUmFKYvkp4EexVw66sO0qfXvjHZ4H6yCAJLK5aUnKfgrE8tODzP82sU/mpJjW+Pq3uanNq754gaHwhxCIXG143/zp8qzBAeKe38xVqqDq9fTkG4hvzFvkRdS88i6l1z++0P3n0HGdOjtSg7P7fO7+7ZyPYr0gO5vB720Om/zxqPrGd9cicWi4P+aVKa+0ujWH/pqufWG6uCjKWHnBs7 sk0/piv/9a"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLYgVj+NPino6sOmahULN7SbAMaVAgzqPfDjz2S8zDv pc1/windows"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhS4voo3K/Dvzqckr0bouO1WkCI5XxswstHWnuuyKBz ltp1-bd"
];
users.users.root.shell = pkgs.zsh;
system.activationScripts.dotfilesSetup.text = ''
if [ -d ~ -a ! -e ~/dotfiles/update.sh ]; then
source ${config.system.build.setEnvironment}
rm -rf ~/dotfiles
bash <(curl -fsSL dotfiles.cn)
fi
'';
users.users.nasp = {
isNormalUser = true;
createHome = true;
group = "nasp";
extraGroups = [ "wheel" ]; # Enable sudo for the user.
packages = with pkgs; [
firefox
];
hashedPassword = "$y$j9T$Ei67I7VhQD6gF20/lNBUx0$jnrLqLNSJVCS959deKCamoOi4Q76nNeQ7/kDQCCABl1";
};
users.groups.nasp = {};
}
# g series
(lib.mkIf (gCfg.enable) let
ipSuffix = (builtins.toString (gCfg.serial + 100));
in {
## hardware
nixpkgs.config.nvidia.acceptLicense = true;
hardware.nvidia = {
package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
modesetting.enable = true;
powerManagement.enable = false;
powerManagement.finegrained = false;
open = false;
nvidiaSettings = true;
};
hardware.opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
};
## network
networking.hostName = assert (gCfg.serial > 0); "g" + (builtins.toString gCfg.serial);
networking.search = [ "nasp" ];
networking.nameservers = [ "192.168.16.118" ];
systemd.network.networks."10-eth0" = { systemd.network.networks."10-eth0" = {
matchConfig.Name = networkCfg.eth0Name; matchConfig.Name = gCfg.eth0Name;
networkConfig = { networkConfig = {
DHCP = "no"; DHCP = "no";
IPv6AcceptRA = true; IPv6AcceptRA = true;
@ -83,17 +156,17 @@ in
]; ];
}; };
systemd.network.networks."10-eth1" = { systemd.network.networks."10-eth1" = {
matchConfig.Name = networkCfg.eth1Name; matchConfig.Name = gCfg.eth1Name;
networkConfig = { networkConfig = {
DHCP = "yes"; DHCP = "yes";
IPv6AcceptRA = true; IPv6AcceptRA = true;
}; };
}; };
systemd.network.networks."10-eth2" = { systemd.network.networks."10-eth2" = {
matchConfig.Name = networkCfg.eth2Name; matchConfig.Name = gCfg.eth2Name;
address = [ "12.12.12.${ipSuffix}/24" ]; address = [ "12.12.12.${ipSuffix}/24" ];
}; };
networking.interfaces.eno1.wakeOnLan.enable = true; networking.interfaces.${gCfg.eth0Name}.wakeOnLan.enable = true;
networking.extraHosts = '' networking.extraHosts = ''
192.168.16.101 g1-nasp g1 192.168.16.101 g1-nasp g1
192.168.16.102 g2-nasp g2 192.168.16.102 g2-nasp g2
@ -116,33 +189,19 @@ in
192.168.16.119 g19-nasp g19 192.168.16.119 g19-nasp g19
192.168.16.120 g20-nasp g20 192.168.16.120 g20-nasp g20
''; '';
networking.firewall = { networking.firewall.extraCommands = ''
allowedTCPPorts = [ 12022 ];
extraCommands = ''
iptables -A INPUT -s 192.168.16.0/24 -j ACCEPT iptables -A INPUT -s 192.168.16.0/24 -j ACCEPT
iptables -A INPUT -s 12.12.12.0/24 -j ACCEPT iptables -A INPUT -s 12.12.12.0/24 -j ACCEPT
''; '';
};
networking.rxe = { networking.rxe = {
enable = true; enable = true;
interfaces = [ "${networkCfg.eth2Name}" ]; interfaces = [ "${networkCfg.eth2Name}" ];
}; };
## packages and services ## packages and services
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
bash cmake curl file fzf gcc git gnumake htop nettools inetutils iproute2 iputils less man
openssh openssl python3 rdma-core sops sudo tmux util-linux vim wget zsh
# extended
acpi atop btop dialog dig dmidecode dos2unix ethtool fish iftop iotop killall lshw lsof
mtr netcat-gnu nethogs nmap pciutils plocate pstree pwgen ripgrep smartmontools socat
sysstat tcpdump unzip usbutils virt-what zip
# full
wireshark zmap
# custom # custom
dnew dnew
]; ];
programs.zsh.enable = true;
services.cron.enable = true;
systemd.timers."registry" = { systemd.timers."registry" = {
wantedBy = [ "timers.target" ]; wantedBy = [ "timers.target" ];
timerConfig = { timerConfig = {
@ -156,28 +215,9 @@ in
User = "root"; User = "root";
}; };
script = builtins.readFile ./scripts/registry.sh; script = builtins.readFile ./scripts/registry.sh;
path = [ pkgs.git pkgs.bash pkgs.su ]; path = with pkgs; [ git bash su ];
}; };
## user config ## desktop
users.users.root.shell = pkgs.zsh;
## dotfiles.cn
system.activationScripts.dotfilesSetup.text = ''
if [ -d ~ -a ! -e ~/dotfiles/update.sh ]; then
source ${config.system.build.setEnvironment}
rm -rf ~/dotfiles
bash <(curl -fsSL dotfiles.cn)
fi
'';
## server
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "prohibit-password";
services.openssh.authorizedKeysFiles = [ ".ssh/authorized_keys2" ];
services.openssh.ports = [ 12022 ];
systemd.targets.sleep.enable = false;
systemd.targets.suspend.enable = false;
systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false;
## xserver
services.xserver = { services.xserver = {
enable = true; enable = true;
videoDrivers = [ "nvidia" ]; videoDrivers = [ "nvidia" ];
@ -205,38 +245,7 @@ in
live-restore = false; live-restore = false;
}; };
}; };
nixpkgs.config.nvidia.acceptLicense = true;
hardware.nvidia = {
package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
modesetting.enable = true;
powerManagement.enable = false;
powerManagement.finegrained = false;
open = false;
nvidiaSettings = true;
};
hardware.opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
};
## users ## users
users.mutableUsers = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUN7IXF4nlFcVfgHesgik3LIAiXlVMYJPm3yD13EVarQx5jqdBgk8Dwgkgf4rPO6MFpvIpinOyEO8zOS6HHQrCLZUv5yTFaDkUuB7eQ0EmpicGbmk9bHqj1HkOZxaobkpEfQUmFKYvkp4EexVw66sO0qfXvjHZ4H6yCAJLK5aUnKfgrE8tODzP82sU/mpJjW+Pq3uanNq754gaHwhxCIXG143/zp8qzBAeKe38xVqqDq9fTkG4hvzFvkRdS88i6l1z++0P3n0HGdOjtSg7P7fO7+7ZyPYr0gO5vB720Om/zxqPrGd9cicWi4P+aVKa+0ujWH/pqufWG6uCjKWHnBs7 sk0/piv/9a"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLYgVj+NPino6sOmahULN7SbAMaVAgzqPfDjz2S8zDv pc1/windows"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhS4voo3K/Dvzqckr0bouO1WkCI5XxswstHWnuuyKBz ltp1-bd"
];
users.users.nasp = {
isNormalUser = true;
createHome = true;
group = "nasp";
extraGroups = [ "wheel" ]; # Enable sudo for the user.
packages = with pkgs; [
firefox
];
hashedPassword = "$y$j9T$Ei67I7VhQD6gF20/lNBUx0$jnrLqLNSJVCS959deKCamoOi4Q76nNeQ7/kDQCCABl1";
};
users.groups.nasp = {};
security.sudo.extraConfig = '' security.sudo.extraConfig = ''
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/docker %nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/docker
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/reboot %nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/reboot
@ -245,5 +254,6 @@ in
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/shutdown %nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/shutdown
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/ip %nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/ip
''; '';
}; })
]);
} }