NixOS-Config/hosts/g18-next/configuration.nix

154 lines
4.1 KiB
Nix

{ inputs, config, lib, pkgs, ... }:
let
unstable = import inputs.nixpkgs-unstable {
system = config.nixpkgs.system;
};
in
{
imports =
[
./hardware-configuration.nix
../modules/nasp.nix
];
nasp = {
enable = true;
gSeries = {
enable = true;
serial = 18;
};
registry.enable = false;
nginx.enableCodeServer = false;
nvidia.enable = false;
};
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
# networking
networking.hostName = lib.mkForce "g18-next";
networking.hostId = "11f1fad0";
systemd.network.networks."10-veth0" = {
matchConfig.Name = "enp1s0";
networkConfig = {
DHCP = "no";
IPv6AcceptRA = true;
};
address = [ "192.168.122.118/24" ];
routes = [
{
routeConfig = {
Gateway = "192.168.122.1";
GatewayOnLink = true;
Metric = 90;
};
}
];
};
services.resolved.enable = true;
networking.firewall.extraCommands = ''
iptables -A INPUT -s 192.168.122.1 -j ACCEPT
'';
# service: gitea
services.gitea = {
enable = true;
package = unstable.gitea;
stateDir = "/data0/lib/gitea";
database.type = "sqlite3";
settings = {
server = {
SSH_DOMAIN = "nasp.fit";
DOMAIN = "git.nasp.fit";
HTTP_PORT = 3000;
ROOT_URL = "https://git.nasp.fit/";
DISABLE_SSH = false;
SSH_PORT = 22;
OFFLINE_MODE = false;
START_SSH_SERVER = true;
BUILTIN_SSH_SERVER_USER = "git";
};
"repository.pull-request" = {
DEFAULT_MERGE_STYLE = "squash";
};
"repository.signing" = {
DEFAULT_TRUST_MODEL = "committer";
};
proxy = {
PROXY_ENABLED = true;
PROXY_URL = "http://192.168.255.1:20171";
PROXY_HOSTS = "github.com";
};
};
};
systemd.sockets.gitea.listenStreams = [ "22" ];
systemd.services.gitea.requires = [ "gitea.socket" "data0.mount" ];
systemd.services.gitea.after = [ "data0.mount" ];
# service: influxdb
services.influxdb2.enable = true;
systemd.services.influxdb2.requires = [ "var-lib-influxdb2.mount" ];
systemd.services.influxdb2.after = [ "var-lib-influxdb2.mount" ];
fileSystems."/var/lib/influxdb2" = {
depends = [ "/data0" ];
device = "/data0/lib/influxdb";
options = [ "bind" ];
};
# service: dnsmasq stub dns server
services.dnsmasq = {
enable = true;
settings = {
interface = [ "enp1s0" "lo" ];
bind-interfaces = true;
domain-needed = true;
bogus-priv = true;
no-resolv = true;
no-poll = true;
domain = "nasp";
server = [
"101.6.6.6"
"1.1.1.1"
"2001:da8::666"
"/tsinghua.edu.cn/166.111.8.29"
"/tsinghua.edu.cn/166.111.8.28"
];
};
};
# service: grafana
sops.secrets."grafana/oauth_client_id" = {
owner = "grafana";
};
sops.secrets."grafana/oauth_client_secret" = {
owner = "grafana";
};
services.grafana = {
enable = true;
dataDir = "/data0/lib/grafana";
settings = {
server = {
http_addr = "192.168.122.118";
http_port = 3002;
domain = "grafana.nasp.fit";
root_url = "https://grafana.nasp.fit/";
};
auth = {
disable_login_form = true;
oauth_allow_insecure_email_lookup = true;
};
"auth.generic_oauth" = {
enabled = true;
name = "NASP Gitea";
allow_sign_up = true;
auto_login = true;
scopes = "read:user,read:organization";
empty_scopes = false;
auth_url = "https://git.nasp.fit/login/oauth/authorize";
token_url = "https://git.nasp.fit/login/oauth/access_token";
api_url = "https://git.nasp.fit/api/v1/user";
use_pkce = false;
client_id = "$__file{/run/secrets/grafana/oauth_client_id}";
client_secret = "$__file{/run/secrets/grafana/oauth_client_secret}";
};
};
};
system.stateVersion = "24.05";
}