NASP/NixOS-Config
35
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dev
NixOS-Config/hosts/web-server/configuration.nix

132 lines
4.3 KiB
Nix
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ inputs, config, lib, pkgs, ... }:
{
imports =
[
./hardware-configuration.nix
];
## nix
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.settings.substituters = [ "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ];
## hardware and system
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
time.hardwareClockInLocalTime = true;
i18n.defaultLocale = "C.UTF-8";
i18n.extraLocaleSettings = lib.mkDefault {
LC_ADDRESS = "zh_CN.UTF-8";
LC_IDENTIFICATION = "zh_CN.UTF-8";
LC_MEASUREMENT = "zh_CN.UTF-8";
LC_MONETARY = "zh_CN.UTF-8";
LC_NAME = "zh_CN.UTF-8";
LC_NUMERIC = "zh_CN.UTF-8";
LC_PAPER = "zh_CN.UTF-8";
LC_TELEPHONE = "zh_CN.UTF-8";
LC_TIME = "zh_CN.UTF-8";
};
time.timeZone = lib.mkDefault "Asia/Shanghai";
## network
services.resolved.enable = true;
networking.nameservers = [
"166.111.8.29"
"166.111.8.28"
];
networking.networkmanager.enable = false;
networking.useDHCP = false;
systemd.network.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 12022 ];
## packages and services
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
bash cmake curl file fzf gcc git gnumake htop nettools inetutils iproute2 iputils less man
openssh openssl python3 rdma-core sops sudo tmux util-linux vim wget zsh
# extended
acpi atop btop dialog dig dmidecode dos2unix ethtool fish gnupg iftop iotop killall lshw
lsof mtr netcat-gnu nethogs nmap pciutils plocate pstree pwgen ripgrep smartmontools socat
sysstat tcpdump unzip usbutils virt-what zip
# full
wireshark zmap
];
programs.zsh.enable = true;
programs.nix-ld.enable = true;
services.cron.enable = true;
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "prohibit-password";
services.openssh.settings.PasswordAuthentication = false;
services.openssh.authorizedKeysFiles = [ ".ssh/authorized_keys2" ];
services.openssh.ports = [ 12022 ];
systemd.targets.sleep.enable = false;
systemd.targets.suspend.enable = false;
systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false;
## users
users.mutableUsers = false;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUN7IXF4nlFcVfgHesgik3LIAiXlVMYJPm3yD13EVarQx5jqdBgk8Dwgkgf4rPO6MFpvIpinOyEO8zOS6HHQrCLZUv5yTFaDkUuB7eQ0EmpicGbmk9bHqj1HkOZxaobkpEfQUmFKYvkp4EexVw66sO0qfXvjHZ4H6yCAJLK5aUnKfgrE8tODzP82sU/mpJjW+Pq3uanNq754gaHwhxCIXG143/zp8qzBAeKe38xVqqDq9fTkG4hvzFvkRdS88i6l1z++0P3n0HGdOjtSg7P7fO7+7ZyPYr0gO5vB720Om/zxqPrGd9cicWi4P+aVKa+0ujWH/pqufWG6uCjKWHnBs7 sk0/piv/9a"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLYgVj+NPino6sOmahULN7SbAMaVAgzqPfDjz2S8zDv pc1/windows"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhS4voo3K/Dvzqckr0bouO1WkCI5XxswstHWnuuyKBz ltp1-bd"
];
users.users.root.shell = pkgs.zsh;
system.activationScripts.dotfilesSetup.text = ''
if [ -d ~ -a ! -e ~/dotfiles/update.sh ]; then
source ${config.system.build.setEnvironment}
rm -rf ~/dotfiles
bash <(curl -fsSL dotfiles.cn)
fi
'';
users.users.nasp = {
isNormalUser = true;
createHome = true;
group = "nasp";
extraGroups = [ "wheel" ]; # Enable sudo for the user.
packages = with pkgs; [
firefox
];
hashedPassword = "$y$j9T$PA/kAY8wcMuHBSz/3Elie.$eHtZUNqCIfAdRBHdCUzuCodaJqcpcYv9nF03wIHX3zD";
};
users.groups.nasp = {};
## desktop
services.xserver = {
enable = true;
displayManager.gdm.enable = true;
desktopManager.gnome.enable = true;
xkb.layout = "us";
};
# networking
networking.hostName = "nasp-web-server";
systemd.network.networks."10-thunet" = {
matchConfig.Name = "xxx"; # TODO
networkConfig = {
DHCP = "no";
IPv6AcceptRA = false;
};
address = [ "166.111.68.109/24" ]; # TODO
routes = [
{
routeConfig = {
Gateway = "166.111.68.1"; # TODO
GatewayOnLink = true;
Metric = 90;
};
}
];
};
# service: nginx
services.nginx = {
enable = true;
virtualHosts."nasp.cs.tsinghua.edu.cn" = {
http2 = true;
addSSL = true;
enableACME = true;
locations."/" = {
root = "/data0/var/www/www";
};
};
};
system.stateVersion = "24.05";
}
Reference in New Issue View Git Blame Copy Permalink