202 lines
6.3 KiB
Nix
202 lines
6.3 KiB
Nix
{ config, pkgs, lib, ... }:
|
||
|
||
let
|
||
mainCfg = config.nasp;
|
||
hostName = ("g" + (builtins.toString mainCfg.serial));
|
||
ipSuffix = (builtins.toString (mainCfg.serial + 100));
|
||
in
|
||
{
|
||
options.nasp = {
|
||
serial = lib.mkOption {
|
||
type = lib.types.int;
|
||
description = "Serial of the machine (gX)";
|
||
};
|
||
};
|
||
|
||
# inplementation
|
||
config = {
|
||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||
nix.settings.substituters = [ "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ];
|
||
## system config
|
||
boot.loader.systemd-boot.enable = true;
|
||
boot.loader.efi.canTouchEfiVariables = true;
|
||
time.hardwareClockInLocalTime = true;
|
||
networking.hostName = assert (mainCfg.serial > 0); hostName;
|
||
networking.search = [ "nasp" ];
|
||
i18n.defaultLocale = "C.UTF-8";
|
||
i18n.extraLocaleSettings = lib.mkDefault {
|
||
LC_ADDRESS = "zh_CN.UTF-8";
|
||
LC_IDENTIFICATION = "zh_CN.UTF-8";
|
||
LC_MEASUREMENT = "zh_CN.UTF-8";
|
||
LC_MONETARY = "zh_CN.UTF-8";
|
||
LC_NAME = "zh_CN.UTF-8";
|
||
LC_NUMERIC = "zh_CN.UTF-8";
|
||
LC_PAPER = "zh_CN.UTF-8";
|
||
LC_TELEPHONE = "zh_CN.UTF-8";
|
||
LC_TIME = "zh_CN.UTF-8";
|
||
};
|
||
time.timeZone = lib.mkDefault "Asia/Shanghai";
|
||
## networking
|
||
networking.networkmanager.enable = true;
|
||
networking.interfaces = {
|
||
eno1.wakeOnLan.enable = true;
|
||
eno1.ipv4 = {
|
||
addresses = [
|
||
{
|
||
address = "192.168.16.${ipSuffix}";
|
||
prefixLength = 24;
|
||
}
|
||
];
|
||
routes = [
|
||
{
|
||
address = "0.0.0.0";
|
||
prefixLength = 0;
|
||
via = "192.168.16.118";
|
||
}
|
||
];
|
||
};
|
||
enp2s0np0.ipv4.addresses = [
|
||
{
|
||
address = "12.12.12.${ipSuffix}";
|
||
prefixLength = 24;
|
||
}
|
||
];
|
||
};
|
||
networking.extraHosts = ''
|
||
192.168.16.101 g1-nasp g1
|
||
192.168.16.102 g2-nasp g2
|
||
192.168.16.103 g3-nasp g3
|
||
192.168.16.104 g4-nasp g4
|
||
192.168.16.105 g5-nasp g5
|
||
192.168.16.106 g6-nasp g6
|
||
192.168.16.107 g7-nasp g7
|
||
192.168.16.108 g8-nasp g8
|
||
192.168.16.109 g9-nasp g9
|
||
192.168.16.110 g10-nasp g10
|
||
192.168.16.111 g11-nasp g11
|
||
192.168.16.112 g12-nasp g12
|
||
192.168.16.113 g13-nasp g13
|
||
192.168.16.114 g14-nasp g14
|
||
192.168.16.115 g15-nasp g15
|
||
192.168.16.116 g16-nasp g16
|
||
192.168.16.117 g17-nasp g17
|
||
192.168.16.118 g18-nasp g18 nasp.fit git.nasp.fit
|
||
192.168.16.119 g19-nasp g19
|
||
192.168.16.120 g20-nasp g20
|
||
'';
|
||
networking.firewall = {
|
||
allowedTCPPorts = [ 12022 ];
|
||
extraCommands = ''
|
||
iptables -A INPUT -s 192.168.16.0/24 -j ACCEPT
|
||
iptables -A INPUT -s 12.12.12.0/24 -j ACCEPT
|
||
'';
|
||
};
|
||
networking.rxe = {
|
||
enable = true;
|
||
interfaces = [ "enp2s0np0" ];
|
||
};
|
||
## packages and services
|
||
nixpkgs.config.allowUnfree = true;
|
||
environment.systemPackages = with pkgs; [
|
||
bash cmake curl file fzf gcc git gnumake htop inetutils iproute2 iputils less man nettools
|
||
openssh openssl python3 rdma-core sops sudo tmux util-linux vim wget zsh
|
||
# extended
|
||
acpi atop btop dialog dig dmidecode dos2unix ethtool fish iftop iotop killall lshw lsof
|
||
mtr netcat-gnu nethogs nmap pciutils plocate pstree pwgen ripgrep smartmontools socat
|
||
sysstat tcpdump unzip usbutils virt-what zip
|
||
# full
|
||
wireshark zmap
|
||
];
|
||
programs.zsh.enable = true;
|
||
services.cron.enable = true;
|
||
## user config
|
||
users.users.root.shell = pkgs.zsh;
|
||
## dotfiles.cn
|
||
system.activationScripts.dotfilesSetup.text = ''
|
||
if [ -d ~ -a ! -e ~/dotfiles/update.sh ]; then
|
||
source ${config.system.build.setEnvironment}
|
||
rm -rf ~/dotfiles
|
||
bash <(curl -fsSL dotfiles.cn)
|
||
fi
|
||
'';
|
||
## server
|
||
services.openssh.enable = true;
|
||
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
||
services.openssh.authorizedKeysFiles = [ ".ssh/authorized_keys2" ];
|
||
services.openssh.ports = [ 12022 ];
|
||
systemd.targets.sleep.enable = false;
|
||
systemd.targets.suspend.enable = false;
|
||
systemd.targets.hibernate.enable = false;
|
||
systemd.targets.hybrid-sleep.enable = false;
|
||
## xserver
|
||
services.xserver = {
|
||
enable = true;
|
||
videoDrivers = [ "nvidia" ];
|
||
displayManager.gdm.enable = true;
|
||
desktopManager.gnome = {
|
||
enable = true;
|
||
extraGSettingsOverridePackages = [ pkgs.gnome.mutter ];
|
||
extraGSettingsOverrides = ''
|
||
[org.gnome.mutter]
|
||
experimental-features=['scale-monitor-framebuffer']
|
||
'';
|
||
};
|
||
layout = "us";
|
||
xkbVariant = "";
|
||
};
|
||
## docker
|
||
virtualisation.docker = {
|
||
enable = true;
|
||
enableNvidia = true;
|
||
daemon.settings = {
|
||
ipv6 = true;
|
||
fixed-cidr-v6 = "fddd:d0c1:1::/64";
|
||
experimental = true;
|
||
ip6tables = true;
|
||
live-restore = false;
|
||
};
|
||
};
|
||
nixpkgs.config.nvidia.acceptLicense = true;
|
||
hardware.nvidia = {
|
||
package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
|
||
modesetting.enable = true;
|
||
powerManagement.enable = false;
|
||
powerManagement.finegrained = false;
|
||
open = false;
|
||
nvidiaSettings = true;
|
||
};
|
||
hardware.opengl = {
|
||
enable = true;
|
||
driSupport = true;
|
||
driSupport32Bit = true;
|
||
};
|
||
## users
|
||
users.mutableUsers = true;
|
||
users.users.root.openssh.authorizedKeys.keys = [
|
||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUN7IXF4nlFcVfgHesgik3LIAiXlVMYJPm3yD13EVarQx5jqdBgk8Dwgkgf4rPO6MFpvIpinOyEO8zOS6HHQrCLZUv5yTFaDkUuB7eQ0EmpicGbmk9bHqj1HkOZxaobkpEfQUmFKYvkp4EexVw66sO0qfXvjHZ4H6yCAJLK5aUnKfgrE8tODzP82sU/mpJjW+Pq3uanNq754gaHwhxCIXG143/zp8qzBAeKe38xVqqDq9fTkG4hvzFvkRdS88i6l1z++0P3n0HGdOjtSg7P7fO7+7ZyPYr0gO5vB720Om/zxqPrGd9cicWi4P+aVKa+0ujWH/pqufWG6uCjKWHnBs7 sk0/piv/9a"
|
||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLYgVj+NPino6sOmahULN7SbAMaVAgzqPfDjz2S8zDv pc1/windows"
|
||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhS4voo3K/Dvzqckr0bouO1WkCI5XxswstHWnuuyKBz ltp1-bd"
|
||
];
|
||
users.users.nasp = {
|
||
isNormalUser = true;
|
||
createHome = true;
|
||
group = "nasp";
|
||
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||
packages = with pkgs; [
|
||
firefox
|
||
];
|
||
hashedPassword = "$y$j9T$Ei67I7VhQD6gF20/lNBUx0$jnrLqLNSJVCS959deKCamoOi4Q76nNeQ7/kDQCCABl1";
|
||
};
|
||
users.groups.nasp = {};
|
||
security.sudo.extraConfig = ''
|
||
%nasp ALL = (root) NOPASSWD: /usr/bin/docker
|
||
%nasp ALL = (root) NOPASSWD: /usr/sbin/reboot
|
||
%nasp ALL = (root) NOPASSWD: /usr/bin/whoami
|
||
%nasp ALL = (root) NOPASSWD: /usr/bin/nvidia-smi
|
||
%nasp ALL = (root) NOPASSWD: /usr/sbin/shutdown
|
||
%nasp ALL = (root) NOPASSWD: /usr/sbin/ufw
|
||
%nasp ALL = (root) NOPASSWD: /usr/sbin/ip
|
||
'';
|
||
};
|
||
}
|