{ inputs, config, lib, pkgs, ... }: let unstable = import inputs.nixpkgs-unstable { system = config.nixpkgs.system; }; in { imports = [ ./hardware-configuration.nix ../modules/nasp.nix ]; nasp = { enable = true; gSeries = { enable = true; serial = 18; }; registry.enable = false; nginx.enableCodeServer = false; nvidia.enable = false; }; boot.loader.systemd-boot.enable = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/vda"; # networking networking.hostName = lib.mkForce "g18-next"; networking.hostId = "11f1fad0"; systemd.network.networks."10-veth0" = { matchConfig.Name = "enp1s0"; networkConfig = { DHCP = "no"; IPv6AcceptRA = true; }; address = [ "192.168.122.118/24" ]; routes = [ { routeConfig = { Gateway = "192.168.122.1"; GatewayOnLink = true; Metric = 90; }; } ]; }; services.resolved.enable = true; networking.firewall.extraCommands = '' iptables -A INPUT -s 192.168.122.1 -j ACCEPT ''; # service: gitea services.gitea = { enable = true; package = unstable.gitea; stateDir = "/data0/lib/gitea"; database.type = "sqlite3"; settings = { server = { SSH_DOMAIN = "nasp.fit"; DOMAIN = "git.nasp.fit"; HTTP_PORT = 3000; ROOT_URL = "https://git.nasp.fit/"; DISABLE_SSH = false; SSH_PORT = 22; OFFLINE_MODE = false; START_SSH_SERVER = true; BUILTIN_SSH_SERVER_USER = "git"; }; "repository.pull-request" = { DEFAULT_MERGE_STYLE = "squash"; }; "repository.signing" = { DEFAULT_TRUST_MODEL = "committer"; }; proxy = { PROXY_ENABLED = true; PROXY_URL = "http://192.168.255.1:20171"; PROXY_HOSTS = "github.com"; }; }; }; systemd.sockets.gitea.listenStreams = [ "22" ]; systemd.services.gitea.requires = [ "gitea.socket" "data0.mount" ]; systemd.services.gitea.after = [ "data0.mount" ]; # service: influxdb services.influxdb2.enable = true; systemd.services.influxdb2.requires = [ "var-lib-influxdb2.mount" ]; systemd.services.influxdb2.after = [ "var-lib-influxdb2.mount" ]; fileSystems."/var/lib/influxdb2" = { depends = [ "/data0" ]; device = "/data0/lib/influxdb"; options = [ "bind" ]; }; # service: dnsmasq stub dns server services.dnsmasq = { enable = true; settings = { interface = [ "enp1s0" "lo" ]; bind-interfaces = true; domain-needed = true; bogus-priv = true; no-resolv = true; no-poll = true; domain = "nasp"; server = [ "101.6.6.6" "1.1.1.1" "2001:da8::666" "/tsinghua.edu.cn/166.111.8.29" "/tsinghua.edu.cn/166.111.8.28" ]; }; }; # service: grafana sops.secrets."grafana/oauth_client_id" = { owner = "grafana"; }; sops.secrets."grafana/oauth_client_secret" = { owner = "grafana"; }; services.grafana = { enable = true; dataDir = "/data0/lib/grafana"; settings = { server = { http_addr = "192.168.122.118"; http_port = 3002; domain = "grafana.nasp.fit"; root_url = "https://grafana.nasp.fit/"; }; auth = { disable_login_form = true; oauth_allow_insecure_email_lookup = true; }; "auth.generic_oauth" = { enabled = true; name = "NASP Gitea"; allow_sign_up = true; auto_login = true; scopes = "read:user,read:organization"; empty_scopes = false; auth_url = "https://git.nasp.fit/login/oauth/authorize"; token_url = "https://git.nasp.fit/login/oauth/access_token"; api_url = "https://git.nasp.fit/api/v1/user"; use_pkce = false; client_id = "$__file{/run/secrets/grafana/oauth_client_id}"; client_secret = "$__file{/run/secrets/grafana/oauth_client_secret}"; }; }; }; system.stateVersion = "24.05"; }